{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","type":"composer","namespace":"craftcms","name":"cms","version":"5.9.11","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.9.18","latest_non_vulnerable_version":"5.9.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=json","vulnerability_id":"VCID-25ym-rhky-wbaq","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13161","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13137","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13156","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13059","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"d30df3112220db1ffd6726a3ed11857014c7fb27","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33161","GHSA-vgjg-248p-rfm2"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=json","vulnerability_id":"VCID-5qkr-aqmx-8qau","summary":"Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a","references":[{"reference_url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq"},{"reference_url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq","reference_id":"GHSA-44px-qjjc-xrhq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["GHSA-44px-qjjc-xrhq"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=json","vulnerability_id":"VCID-e3k3-fp6t-kycw","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14803","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14773","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14683","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14804","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267"},{"reference_url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33","reference_id":"6301e217c5f15617d939c432cb770db50af14b33","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"},{"reference_url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374516?format=json","purl":"pkg:composer/craftcms/cms@5.9.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12"}],"aliases":["CVE-2026-32267","GHSA-cc7p-2j3x-x7xf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=json","vulnerability_id":"VCID-gp2d-vv3n-euda","summary":"Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13144","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.1312","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13041","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13139","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129"},{"reference_url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_id":"d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"},{"reference_url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373533?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41129","GHSA-3m9m-24vh-39wx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78014?format=json","vulnerability_id":"VCID-h9fr-63qv-bffn","summary":"Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33162","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02173","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02185","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02178","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02175","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33162"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33162","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33162"},{"reference_url":"https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e","reference_id":"3c1ab1c4445dd9237855a66e6a06ecf3591a718e","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/"}],"url":"https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/advisories/GHSA-f582-6gf6-gx4g","reference_id":"GHSA-f582-6gf6-gx4g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f582-6gf6-gx4g"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g","reference_id":"GHSA-f582-6gf6-gx4g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:40:29Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33162","GHSA-f582-6gf6-gx4g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h9fr-63qv-bffn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=json","vulnerability_id":"VCID-j1d4-j44f-yqh9","summary":"Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02827","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02819","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0409","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.041","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010"},{"reference_url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128","reference_id":"834b2cf61ad0dcee9b03add44ed402ebf18db128","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128"},{"reference_url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"GHSA-gj2p-p9m4-c8gw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"GHSA-gj2p-p9m4-c8gw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376015?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44010","GHSA-gj2p-p9m4-c8gw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=json","vulnerability_id":"VCID-j6wk-k1jb-jfd5","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04013","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04003","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03998","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.04014","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e","reference_id":"7290d91639e","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e"},{"reference_url":"https://github.com/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5pgf-h923-m958"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33160","GHSA-5pgf-h923-m958"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=json","vulnerability_id":"VCID-j8qq-yre6-4bfx","summary":"Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06356","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06376","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06955","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.06946","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011"},{"reference_url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3","reference_id":"ab85ca7f5f926994f723f60584054a1f4c4c5de3","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"GHSA-qrgm-p9w5-rrfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"GHSA-qrgm-p9w5-rrfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376015?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44011","GHSA-qrgm-p9w5-rrfw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=json","vulnerability_id":"VCID-nep2-e16y-9yg4","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06602","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06595","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06613","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06624","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592","reference_id":"7f0ead833f7c2b91ae12003caad833479dd08592","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592"},{"reference_url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33159","GHSA-6mrr-q3pj-h53w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=json","vulnerability_id":"VCID-py3b-5ps7-7fe3","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03906","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03918","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03898","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03916","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33158","GHSA-3pvf-vxrv-hh9c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=json","vulnerability_id":"VCID-smdx-nfbs-2qbx","summary":"Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16435","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16405","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1628","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16424","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130"},{"reference_url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783","reference_id":"ebe7e85f1c89700d64332f72492be2e9a594e783","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"},{"reference_url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373533?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41130","GHSA-95wr-3f2v-v2wh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81004?format=json","vulnerability_id":"VCID-sswc-d2f8-zyc9","summary":"Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41128","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12782","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12763","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12684","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12774","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41128"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41128","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41128"},{"reference_url":"https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27","reference_id":"b135384808ad43fcf8836a9dd9b877fb0087bc27","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/"}],"url":"https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27"},{"reference_url":"https://github.com/advisories/GHSA-jq2f-59pj-p3m3","reference_id":"GHSA-jq2f-59pj-p3m3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jq2f-59pj-p3m3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3","reference_id":"GHSA-jq2f-59pj-p3m3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T18:13:25Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373533?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41128","GHSA-jq2f-59pj-p3m3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sswc-d2f8-zyc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77715?format=json","vulnerability_id":"VCID-up4q-hz23-vkcn","summary":"Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33157","reference_id":"","reference_type":"","scores":[{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27524","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.2753","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27322","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27547","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33157"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33157","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33157"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.13","reference_id":"5.9.13","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.13"},{"reference_url":"https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e","reference_id":"97e90b4bdee369c1af3ca77a77531132df240e4e","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/"}],"url":"https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"},{"reference_url":"https://github.com/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/advisories/GHSA-2fph-6v5w-89hh","reference_id":"GHSA-2fph-6v5w-89hh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2fph-6v5w-89hh"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh","reference_id":"GHSA-2fph-6v5w-89hh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"},{"reference_url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374903?format=json","purl":"pkg:composer/craftcms/cms@5.9.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.13"}],"aliases":["CVE-2026-33157","GHSA-2fph-6v5w-89hh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-up4q-hz23-vkcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67762?format=json","vulnerability_id":"VCID-vj1t-r17b-rufc","summary":"Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44012","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.0171","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01713","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02419","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02427","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44012"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44012","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44012"},{"reference_url":"https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586","reference_id":"e3f3eaab3d85badd713cfc2c24e5f0792ecdb586","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/"}],"url":"https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586"},{"reference_url":"https://github.com/advisories/GHSA-33m5-hqp9-97pw","reference_id":"GHSA-33m5-hqp9-97pw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-33m5-hqp9-97pw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw","reference_id":"GHSA-33m5-hqp9-97pw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376015?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44012","GHSA-33m5-hqp9-97pw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vj1t-r17b-rufc"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=json","vulnerability_id":"VCID-5r6n-351z-2ybh","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15481","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15489","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15456","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15346","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264"},{"reference_url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70","reference_id":"78d181e12e0b15e1300f54ec85f19859d3300f70","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"},{"reference_url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620","reference_id":"dfec46362fcb40b330ce8a4d8136446e65085620","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"},{"reference_url":"https://github.com/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374750?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32264","GHSA-4484-8v2f-5748"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77048?format=json","vulnerability_id":"VCID-6bwp-2ksu-xucy","summary":"Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32263","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.1531","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15418","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.1545","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15443","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32263"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32263","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32263"},{"reference_url":"https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7","reference_id":"d37389dbffafa565143be40a2ab1e1db22a863f7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/"}],"url":"https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"},{"reference_url":"https://github.com/advisories/GHSA-qx2q-q59v-wf3j","reference_id":"GHSA-qx2q-q59v-wf3j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qx2q-q59v-wf3j"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j","reference_id":"GHSA-qx2q-q59v-wf3j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:21:06Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32263","GHSA-qx2q-q59v-wf3j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6bwp-2ksu-xucy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77735?format=json","vulnerability_id":"VCID-ayrf-rfwj-37bf","summary":"Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33051","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04745","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04725","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04731","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33051"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33051","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33051"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.11","reference_id":"5.9.11","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.11"},{"reference_url":"https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1","reference_id":"f634a9d21edcafd83a6716047d275f985aba6be1","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/"}],"url":"https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1"},{"reference_url":"https://github.com/advisories/GHSA-3x4w-mxpf-fhqq","reference_id":"GHSA-3x4w-mxpf-fhqq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x4w-mxpf-fhqq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq","reference_id":"GHSA-3x4w-mxpf-fhqq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T01:53:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-33051","GHSA-3x4w-mxpf-fhqq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ayrf-rfwj-37bf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=json","vulnerability_id":"VCID-yc89-41eq-b3eh","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12414","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12394","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12316","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12406","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262"},{"reference_url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11","reference_id":"c997efbe4c66c14092714233aeebff15cdbfcf11","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11"},{"reference_url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374750?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32262","GHSA-472v-j2g4-g9h2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}