{"url":"http://public2.vulnerablecode.io/api/packages/380972?format=json","purl":"pkg:composer/craftcms/cms@4.3.7","type":"composer","namespace":"craftcms","name":"cms","version":"4.3.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.17.12","latest_non_vulnerable_version":"5.9.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74057?format=json","vulnerability_id":"VCID-12yx-3kck-s7dp","summary":"Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17869","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069"},{"reference_url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8","reference_id":"c3d02d4a7246f516933f42106c0a67ce062f68d8","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069","reference_id":"CVE-2026-29069","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069"},{"reference_url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40199?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.2"},{"url":"http://public2.vulnerablecode.io/api/packages/40200?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2"}],"aliases":["CVE-2026-29069","GHSA-234q-vvw3-mrfq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12yx-3kck-s7dp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69186?format=json","vulnerability_id":"VCID-16h7-f3pe-8qh8","summary":"Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697","reference_id":"","reference_type":"","scores":[{"value":"0.00208","scoring_system":"epss","scoring_elements":"0.43296","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697"},{"reference_url":"https://github.com/craftcms/cms/pull/18216","reference_id":"18216","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18216"},{"reference_url":"https://github.com/craftcms/cms/pull/18219","reference_id":"18219","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18219"},{"reference_url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197","reference_id":"9dc2a4a3ec8e9cd5e8c0d1129f36371437519197","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697","reference_id":"CVE-2026-28697","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697"},{"reference_url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28697","GHSA-v47q-jxvr-p68x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16h7-f3pe-8qh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=json","vulnerability_id":"VCID-25ym-rhky-wbaq","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13059","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"d30df3112220db1ffd6726a3ed11857014c7fb27","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374878?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33161","GHSA-vgjg-248p-rfm2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79824?format=json","vulnerability_id":"VCID-543c-646v-4yfj","summary":"Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01543","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129"},{"reference_url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3","reference_id":"2825388b4f32fb1c9bd709027a1a1fd192d709a3","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129","reference_id":"CVE-2026-27129","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129"},{"reference_url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39528?format=json","purl":"pkg:composer/craftcms/cms@4.16.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19"},{"url":"http://public2.vulnerablecode.io/api/packages/39526?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27129","GHSA-v2gc-rm6g-wrw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-543c-646v-4yfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=json","vulnerability_id":"VCID-5qkr-aqmx-8qau","summary":"Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a","references":[{"reference_url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq"},{"reference_url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq","reference_id":"GHSA-44px-qjjc-xrhq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374878?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["GHSA-44px-qjjc-xrhq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=json","vulnerability_id":"VCID-5r6n-351z-2ybh","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15346","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264"},{"reference_url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70","reference_id":"78d181e12e0b15e1300f54ec85f19859d3300f70","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"},{"reference_url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620","reference_id":"dfec46362fcb40b330ce8a4d8136446e65085620","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"},{"reference_url":"https://github.com/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374750?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32264","GHSA-4484-8v2f-5748"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66241?format=json","vulnerability_id":"VCID-726q-jfsa-9qdz","summary":"Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04576","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2","reference_id":"96c60d775c644ff0a0276da52fe29e11d4cd38d2","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495","reference_id":"CVE-2026-25495","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495"},{"reference_url":"https://github.com/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38971?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38960?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25495","GHSA-2453-mppf-46cj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-726q-jfsa-9qdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69319?format=json","vulnerability_id":"VCID-76k8-sveq-3qbf","summary":"Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16124","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781"},{"reference_url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8","reference_id":"830b403870cd784b47ae42a3f5a16e7ac2d7f5a8","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"},{"reference_url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542","reference_id":"c6dcbdffaf6ab3ffe77d317336684d83699f4542","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781","reference_id":"CVE-2026-28781","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781"},{"reference_url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28781","GHSA-2xfc-g69j-x2mp"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-76k8-sveq-3qbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93304?format=json","vulnerability_id":"VCID-8kdh-rvh3-4yfv","summary":"Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16,  unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456","reference_id":"","reference_type":"","scores":[{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.44006","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"CHANGELOG.md#5821---2025-12-04","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456","reference_id":"CVE-2025-68456","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456"},{"reference_url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39","reference_id":"f83d4e0c6b906743206b4747db4abf8164b8da39","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"},{"reference_url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36519?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36516?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68456","GHSA-v64r-7wg9-23pr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8kdh-rvh3-4yfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93248?format=json","vulnerability_id":"VCID-8m8v-ymqs-fkh9","summary":"Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03989","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437"},{"reference_url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52","reference_id":"013db636fdb38f3ce5657fd196b6d952f98ebc52","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"CHANGELOG.md#5821---2025-12-04","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437","reference_id":"CVE-2025-68437","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437"},{"reference_url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36519?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36516?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68437","GHSA-x27p-wfqw-hfcc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8m8v-ymqs-fkh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71374?format=json","vulnerability_id":"VCID-8rkv-wfha-n7hb","summary":"Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31857","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33522","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31857"},{"reference_url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80","reference_id":"8d4903647dcfd31b8d40ed027e27082013347a80","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/"}],"url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857","reference_id":"CVE-2026-31857","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857"},{"reference_url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40449?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/40681?format=json","purl":"pkg:composer/craftcms/cms@5.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9"}],"aliases":["CVE-2026-31857","GHSA-fp5j-j7j4-mcxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8rkv-wfha-n7hb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/144143?format=json","vulnerability_id":"VCID-9fqv-dg3y-wbbf","summary":"Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33194","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19585","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33194"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33194","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33194"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.6","reference_id":"4.4.6","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.6"},{"reference_url":"https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888","reference_id":"9d0cd0bda7c8a830a3373f8c0f06943e519ac888","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888"},{"reference_url":"https://github.com/advisories/GHSA-3wxg-w96j-8hq9","reference_id":"GHSA-3wxg-w96j-8hq9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3wxg-w96j-8hq9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9","reference_id":"GHSA-3wxg-w96j-8hq9","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381988?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-33194","GHSA-3wxg-w96j-8hq9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9fqv-dg3y-wbbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143726?format=json","vulnerability_id":"VCID-9krv-seyq-juez","summary":"Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33196","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.2641","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33196"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196"},{"reference_url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7","reference_id":"053d7119697e480ff81c5723bb9a33eaa49e0fc7","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.7","reference_id":"4.4.7","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.7"},{"reference_url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/629835?format=json","purl":"pkg:composer/craftcms/cms@4.4.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/382058?format=json","purl":"pkg:composer/craftcms/cms@4.4.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7"}],"aliases":["CVE-2023-33196","GHSA-cjmm-x9x9-m2w5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9krv-seyq-juez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/144141?format=json","vulnerability_id":"VCID-9yny-vu36-tyes","summary":"Craft CMS through 4.4.9 is vulnerable to HTML Injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33495","reference_id":"","reference_type":"","scores":[{"value":"0.00168","scoring_system":"epss","scoring_elements":"0.37785","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33495"},{"reference_url":"https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://medium.com/@mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33495","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33495"},{"reference_url":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection","reference_id":"03-Testing_for_HTML_Injection","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/"}],"url":"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/03-Testing_for_HTML_Injection"},{"reference_url":"https://github.com/advisories/GHSA-m3v5-gjj9-rg24","reference_id":"GHSA-m3v5-gjj9-rg24","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m3v5-gjj9-rg24"},{"reference_url":"https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212","reference_id":"html-injection-in-craft-cms-application-e2b28f746212","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T21:12:01Z/"}],"url":"https://medium.com/%40mondalsomnath9135/html-injection-in-craft-cms-application-e2b28f746212"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393709?format=json","purl":"pkg:composer/craftcms/cms@4.4.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.10"}],"aliases":["CVE-2023-33495","GHSA-m3v5-gjj9-rg24"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9yny-vu36-tyes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/150450?format=json","vulnerability_id":"VCID-a9bc-cgqq-jkfh","summary":"Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40035","reference_id":"","reference_type":"","scores":[{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.5439","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40035"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035"},{"reference_url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5","reference_id":"0bd33861abdc60c93209cff03eeee54504d3d3b5","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/3.8.15","reference_id":"3.8.15","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/3.8.15"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.15","reference_id":"4.4.15","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.15"},{"reference_url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379644?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-40035","GHSA-44wr-rmwq-3phw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a9bc-cgqq-jkfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143897?format=json","vulnerability_id":"VCID-ad7v-5hxr-s3a4","summary":"Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33197","reference_id":"","reference_type":"","scores":[{"value":"0.00848","scoring_system":"epss","scoring_elements":"0.75298","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33197"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33197","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33197"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.6","reference_id":"4.4.6","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.6"},{"reference_url":"https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766","reference_id":"8c2ad0bd313015b8ee42326af2848ee748f1d766","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766"},{"reference_url":"https://github.com/advisories/GHSA-6qjx-787v-6pxr","reference_id":"GHSA-6qjx-787v-6pxr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qjx-787v-6pxr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr","reference_id":"GHSA-6qjx-787v-6pxr","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381988?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-33197","GHSA-6qjx-787v-6pxr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ad7v-5hxr-s3a4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65868?format=json","vulnerability_id":"VCID-b25s-j3du-sfg5","summary":"Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles. This issue is patched in versions 4.16.18 and 5.8.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08265","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513","reference_id":"cb5fb0e979e72f315c9178fc031883d49527f513","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496","reference_id":"CVE-2026-25496","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496"},{"reference_url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38971?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38960?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25496","GHSA-9f5h-mmq6-2x78"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b25s-j3du-sfg5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74141?format=json","vulnerability_id":"VCID-bn85-sts4-5ygq","summary":"Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00691","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113"},{"reference_url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_id":"6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113","reference_id":"CVE-2026-29113","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113"},{"reference_url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40449?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/40451?format=json","purl":"pkg:composer/craftcms/cms@5.9.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7"}],"aliases":["CVE-2026-29113","GHSA-vg3j-hpm9-8v5v"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bn85-sts4-5ygq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69393?format=json","vulnerability_id":"VCID-br1f-q8nk-v7b3","summary":"Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28695","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08234","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28695"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695","reference_id":"CVE-2026-28695","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695"},{"reference_url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0","reference_id":"e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"},{"reference_url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28695","GHSA-94rc-cqvm-m4pw"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-br1f-q8nk-v7b3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/358928?format=json","vulnerability_id":"VCID-c38g-6ttm-yuep","summary":"","references":[{"reference_url":"http://github.com/craftcms/cms/pull/17026","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/craftcms/cms/pull/17026"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731","reference_id":"","reference_type":"","scores":[{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76267","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731"},{"reference_url":"https://github.com/advisories/GHSA-7c58-g782-9j38","reference_id":"GHSA-7c58-g782-9j38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7c58-g782-9j38"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378958?format=json","purl":"pkg:composer/craftcms/cms@4.14.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.13"},{"url":"http://public2.vulnerablecode.io/api/packages/378959?format=json","purl":"pkg:composer/craftcms/cms@5.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15"}],"aliases":["CVE-2025-46731","GHSA-7c58-g782-9j38"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c38g-6ttm-yuep"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/129860?format=json","vulnerability_id":"VCID-cneu-aazx-byfq","summary":"CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30179","reference_id":"","reference_type":"","scores":[{"value":"0.05499","scoring_system":"epss","scoring_elements":"0.90431","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30179"},{"reference_url":"https://github.com/github/advisory-database/pull/2443","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/github/advisory-database/pull/2443"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30179","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30179"},{"reference_url":"https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714","reference_id":"2443#issuecomment-1610040714","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/"}],"url":"https://github.com/github/advisory-database/pull/2443#issuecomment-1610040714"},{"reference_url":"https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200","reference_id":"2443#issuecomment-1610634200","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/"}],"url":"https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14","reference_id":"CHANGELOG.md#442---2023-03-14","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/"}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#442---2023-03-14"},{"reference_url":"https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection","reference_id":"cve-2023-30179-server-side-template-injection","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-03T20:04:19Z/"}],"url":"https://datnlq.gitbook.io/cve/craft-cms/cve-2023-30179-server-side-template-injection"},{"reference_url":"https://github.com/advisories/GHSA-3x74-v64j-qc3f","reference_id":"GHSA-3x74-v64j-qc3f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3x74-v64j-qc3f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381899?format=json","purl":"pkg:composer/craftcms/cms@4.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9fqv-dg3y-wbbf"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-ad7v-5hxr-s3a4"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h3za-7cd7-vkav"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tf8p-xrne-8qfg"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-vvej-1fex-kqdn"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.2"}],"aliases":["CVE-2023-30179","GHSA-3x74-v64j-qc3f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cneu-aazx-byfq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114672?format=json","vulnerability_id":"VCID-czuy-m8wp-fka2","summary":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"0.93094","scoring_system":"epss","scoring_elements":"0.99799","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432"},{"reference_url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432"},{"reference_url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"},{"reference_url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical","reference_id":"CHANGELOG.md#3915---2025-04-10-critical","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical","reference_id":"CHANGELOG.md#41415---2025-04-10-critical","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical","reference_id":"CHANGELOG.md#5617---2025-04-10-critical","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py","reference_id":"CVE-2025-32432","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py"},{"reference_url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47","reference_id":"e1c85441fa47eeb7c688c2053f25419bc0547b47","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"},{"reference_url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376456?format=json","purl":"pkg:composer/craftcms/cms@4.14.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15"},{"url":"http://public2.vulnerablecode.io/api/packages/376457?format=json","purl":"pkg:composer/craftcms/cms@5.6.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17"}],"aliases":["CVE-2025-32432","GHSA-f3gw-9ww9-jmc3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-czuy-m8wp-fka2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=json","vulnerability_id":"VCID-e3k3-fp6t-kycw","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14683","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267"},{"reference_url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33","reference_id":"6301e217c5f15617d939c432cb770db50af14b33","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"},{"reference_url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374515?format=json","purl":"pkg:composer/craftcms/cms@4.17.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.6"},{"url":"http://public2.vulnerablecode.io/api/packages/374516?format=json","purl":"pkg:composer/craftcms/cms@5.9.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12"}],"aliases":["CVE-2026-32267","GHSA-cc7p-2j3x-x7xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212713?format=json","vulnerability_id":"VCID-e9qn-ar3q-g3e4","summary":"Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options","references":[{"reference_url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2"},{"reference_url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276"},{"reference_url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["GHSA-4mgv-366x-qxvx"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e9qn-ar3q-g3e4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43464?format=json","vulnerability_id":"VCID-eypa-1c6q-tfau","summary":"Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293","reference_id":"","reference_type":"","scores":[{"value":"0.21994","scoring_system":"epss","scoring_elements":"0.95902","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293"},{"reference_url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58","reference_id":"123e48a696de1e2f63ab519d4730eb3b87beaa58","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"},{"reference_url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372815?format=json","purl":"pkg:composer/craftcms/cms@4.12.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372816?format=json","purl":"pkg:composer/craftcms/cms@5.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3"}],"aliases":["CVE-2024-52293","GHSA-f3cw-hg6r-chfv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eypa-1c6q-tfau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105090?format=json","vulnerability_id":"VCID-fs3m-av1v-fuf1","summary":"Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"0.39398","scoring_system":"epss","scoring_elements":"0.9739","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939"},{"reference_url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"},{"reference_url":"https://github.com/craftcms/cms/pull/17220","reference_id":"17220","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/pull/17220"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.15.3","reference_id":"4.15.3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.15.3"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.7.5","reference_id":"5.7.5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.7.5"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-35939","reference_id":"CVERecord?id=CVE-2025-35939","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-35939"},{"reference_url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2","reference_id":"GHSA-7vrx-9684-xrf2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2"},{"reference_url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json","reference_id":"va-25-147-01.json","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40673?format=json","purl":"pkg:composer/craftcms/cms@4.15.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40676?format=json","purl":"pkg:composer/craftcms/cms@5.7.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5"}],"aliases":["CVE-2025-35939","GHSA-7vrx-9684-xrf2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fs3m-av1v-fuf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69357?format=json","vulnerability_id":"VCID-g637-7ns6-kyhj","summary":"Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11156","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783"},{"reference_url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"18208","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783","reference_id":"CVE-2026-28783","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783"},{"reference_url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28783","GHSA-5fvc-7894-ghp4"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g637-7ns6-kyhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356642?format=json","vulnerability_id":"VCID-gjvb-ht1w-s3hm","summary":"","references":[{"reference_url":"http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41892","reference_id":"","reference_type":"","scores":[{"value":"0.93824","scoring_system":"epss","scoring_elements":"0.99872","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41892"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857"},{"reference_url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892"},{"reference_url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379644?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-41892","GHSA-4w8r-3xrw-v25g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gjvb-ht1w-s3hm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=json","vulnerability_id":"VCID-gp2d-vv3n-euda","summary":"Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13041","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129"},{"reference_url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_id":"d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"},{"reference_url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373534?format=json","purl":"pkg:composer/craftcms/cms@4.17.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9"},{"url":"http://public2.vulnerablecode.io/api/packages/373533?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41129","GHSA-3m9m-24vh-39wx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80104?format=json","vulnerability_id":"VCID-grmm-88sf-wyd4","summary":"Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00711","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127"},{"reference_url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html"},{"reference_url":"https://github.com/mogwailabs/DNSrebinder","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mogwailabs/DNSrebinder"},{"reference_url":"https://github.com/nccgroup/singularity","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nccgroup/singularity"},{"reference_url":"https://github.com/taviso/rbndr","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taviso/rbndr"},{"reference_url":"https://unit42.paloaltonetworks.com/dns-rebinding","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://unit42.paloaltonetworks.com/dns-rebinding"},{"reference_url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575","reference_id":"a4cf3fb63bba3249cf1e2882b18a2d29e77a8575","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127","reference_id":"CVE-2026-27127","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127"},{"reference_url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39528?format=json","purl":"pkg:composer/craftcms/cms@4.16.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19"},{"url":"http://public2.vulnerablecode.io/api/packages/39526?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27127","GHSA-gp2f-7wcm-5fhx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-grmm-88sf-wyd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143927?format=json","vulnerability_id":"VCID-h3za-7cd7-vkav","summary":"Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33195","reference_id":"","reference_type":"","scores":[{"value":"0.00848","scoring_system":"epss","scoring_elements":"0.75298","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33195"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33195","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33195"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.6","reference_id":"4.4.6","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.6"},{"reference_url":"https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f","reference_id":"b77cb3023bed4f4a37c11294c4d319ff9f598e1f","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/"}],"url":"https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f"},{"reference_url":"https://github.com/advisories/GHSA-qpgm-gjgf-8c2x","reference_id":"GHSA-qpgm-gjgf-8c2x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpgm-gjgf-8c2x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x","reference_id":"GHSA-qpgm-gjgf-8c2x","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T18:21:14Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381988?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-33195","GHSA-qpgm-gjgf-8c2x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h3za-7cd7-vkav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/151232?format=json","vulnerability_id":"VCID-hh13-6e1x-p7ez","summary":"A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2817","reference_id":"","reference_type":"","scores":[{"value":"0.00337","scoring_system":"epss","scoring_elements":"0.56903","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2817"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2817","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2817"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tenable.com/security/research/tra-2023-20"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20,","reference_id":"","reference_type":"","scores":[],"url":"https://www.tenable.com/security/research/tra-2023-20,"},{"reference_url":"https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb","reference_id":"7655e1009ba6cdbfb230e6bb138b775b69fc7bcb","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/"}],"url":"https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb"},{"reference_url":"https://github.com/advisories/GHSA-7x94-jx75-3gh6","reference_id":"GHSA-7x94-jx75-3gh6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x94-jx75-3gh6"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20%2C","reference_id":"tra-2023-20%2C","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/"}],"url":"https://www.tenable.com/security/research/tra-2023-20%2C"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381957?format=json","purl":"pkg:composer/craftcms/cms@4.4.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12"}],"aliases":["CVE-2023-2817","GHSA-7x94-jx75-3gh6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hh13-6e1x-p7ez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43699?format=json","vulnerability_id":"VCID-htqk-ckr5-jbcu","summary":"Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowing the attacker to read arbitrary files on the server. This is fixed in 5.4.9 and 4.12.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52292","reference_id":"","reference_type":"","scores":[{"value":"0.00428","scoring_system":"epss","scoring_elements":"0.62869","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52292"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52292","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52292"},{"reference_url":"https://github.com/advisories/GHSA-cw6g-qmjq-6w2w","reference_id":"GHSA-cw6g-qmjq-6w2w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cw6g-qmjq-6w2w"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w","reference_id":"GHSA-cw6g-qmjq-6w2w","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372805?format=json","purl":"pkg:composer/craftcms/cms@4.12.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8"},{"url":"http://public2.vulnerablecode.io/api/packages/372804?format=json","purl":"pkg:composer/craftcms/cms@5.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9"}],"aliases":["CVE-2024-52292","GHSA-cw6g-qmjq-6w2w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-htqk-ckr5-jbcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=json","vulnerability_id":"VCID-j1d4-j44f-yqh9","summary":"Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02819","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010"},{"reference_url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128","reference_id":"834b2cf61ad0dcee9b03add44ed402ebf18db128","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128"},{"reference_url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"GHSA-gj2p-p9m4-c8gw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"GHSA-gj2p-p9m4-c8gw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376014?format=json","purl":"pkg:composer/craftcms/cms@4.17.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12"},{"url":"http://public2.vulnerablecode.io/api/packages/376015?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44010","GHSA-gj2p-p9m4-c8gw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=json","vulnerability_id":"VCID-j6wk-k1jb-jfd5","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03998","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e","reference_id":"7290d91639e","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e"},{"reference_url":"https://github.com/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5pgf-h923-m958"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374878?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33160","GHSA-5pgf-h923-m958"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=json","vulnerability_id":"VCID-j8qq-yre6-4bfx","summary":"Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06356","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011"},{"reference_url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3","reference_id":"ab85ca7f5f926994f723f60584054a1f4c4c5de3","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"GHSA-qrgm-p9w5-rrfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"GHSA-qrgm-p9w5-rrfw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376014?format=json","purl":"pkg:composer/craftcms/cms@4.17.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12"},{"url":"http://public2.vulnerablecode.io/api/packages/376015?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44011","GHSA-qrgm-p9w5-rrfw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91564?format=json","vulnerability_id":"VCID-kb3b-8hqt-nqfj","summary":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"0.1639","scoring_system":"epss","scoring_elements":"0.9502","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"},{"reference_url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603","reference_id":"e59e22b30c9dd39e5e2c7fe02c147bcbd004e603","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603"},{"reference_url":"https://github.com/advisories/GHSA-x684-96hh-833x","reference_id":"GHSA-x684-96hh-833x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x684-96hh-833x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x","reference_id":"GHSA-x684-96hh-833x","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret","reference_id":"securing-craft#keep-your-secrets-secret","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377040?format=json","purl":"pkg:composer/craftcms/cms@4.13.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.8"},{"url":"http://public2.vulnerablecode.io/api/packages/377039?format=json","purl":"pkg:composer/craftcms/cms@5.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-f67g-n9d6-pkb5"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8"}],"aliases":["CVE-2025-23209","GHSA-x684-96hh-833x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kb3b-8hqt-nqfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136517?format=json","vulnerability_id":"VCID-mhqg-hey8-6bee","summary":"An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has \"nothing to do with security.\"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36260","reference_id":"","reference_type":"","scores":[{"value":"0.00366","scoring_system":"epss","scoring_elements":"0.59001","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36260"},{"reference_url":"https://github.com/craftcms/feed-me","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/feed-me"},{"reference_url":"https://github.com/craftcms/feed-me/releases/tag/4.6.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/feed-me/releases/tag/4.6.2"},{"reference_url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28","reference_id":"b5d6ede51848349bd91bc95fec288b6793f15e28","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/"}],"url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28"},{"reference_url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29","reference_id":"b5d6ede51848349bd91bc95fec288b6793f15e28%29","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/"}],"url":"https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36260","reference_id":"CVE-2023-36260","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36260"},{"reference_url":"https://github.com/advisories/GHSA-6p78-f7h9-6838","reference_id":"GHSA-6p78-f7h9-6838","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6p78-f7h9-6838"},{"reference_url":"https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D","reference_id":"?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/"}],"url":"https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28616?format=json","purl":"pkg:composer/craftcms/cms@4.6.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/394995?format=json","purl":"pkg:composer/craftcms/cms@4.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0"}],"aliases":["CVE-2023-36260","GHSA-6p78-f7h9-6838"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mhqg-hey8-6bee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=json","vulnerability_id":"VCID-nep2-e16y-9yg4","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06602","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592","reference_id":"7f0ead833f7c2b91ae12003caad833479dd08592","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592"},{"reference_url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374878?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33159","GHSA-6mrr-q3pj-h53w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69160?format=json","vulnerability_id":"VCID-nhab-uyen-ayhq","summary":"Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07094","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696"},{"reference_url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9","reference_id":"4d98a07e47580f1712095825d3e3c4d67bc9f8b9","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696","reference_id":"CVE-2026-28696","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696"},{"reference_url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28696","GHSA-7x43-mpfg-r9wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhab-uyen-ayhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65884?format=json","vulnerability_id":"VCID-p8kk-e27s-n7cs","summary":"Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05818","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98","reference_id":"0974055634af68998f67850ab2045d8aaa19fa98","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493","reference_id":"CVE-2026-25493","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493"},{"reference_url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38971?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38960?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25493","GHSA-8jr8-7hr4-vhfx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p8kk-e27s-n7cs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43495?format=json","vulnerability_id":"VCID-pfwt-hxpb-4ub8","summary":"Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Note that this will only work if you have an authenticated administrator account with allowAdminChanges enabled. This is fixed in 5.4.6 and 4.12.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31684","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291"},{"reference_url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"GHSA-jrh5-vhr9-qh7q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"GHSA-jrh5-vhr9-qh7q","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372858?format=json","purl":"pkg:composer/craftcms/cms@4.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.5"},{"url":"http://public2.vulnerablecode.io/api/packages/372857?format=json","purl":"pkg:composer/craftcms/cms@5.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6"}],"aliases":["CVE-2024-52291","GHSA-jrh5-vhr9-qh7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pfwt-hxpb-4ub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=json","vulnerability_id":"VCID-py3b-5ps7-7fe3","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03898","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"4.17.8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"5.9.14","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374878?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/374877?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33158","GHSA-3pvf-vxrv-hh9c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69679?format=json","vulnerability_id":"VCID-qmcc-3ued-m7gk","summary":"Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12995","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782","reference_id":"CVE-2026-28782","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782"},{"reference_url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d","reference_id":"fb61a91357f5761c852400185ba931f51d82783d","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"},{"reference_url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28782","GHSA-jxm3-pmm2-9gf6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qmcc-3ued-m7gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93099?format=json","vulnerability_id":"VCID-qrmg-jky7-87cb","summary":"Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454","reference_id":"","reference_type":"","scores":[{"value":"0.00499","scoring_system":"epss","scoring_elements":"0.66351","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"CHANGELOG.md#5821---2025-12-04","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454","reference_id":"CVE-2025-68454","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454"},{"reference_url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe","reference_id":"d82680f4a05f9576883bb83c3f6243d33ca73ebe","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"},{"reference_url":"https://github.com/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-742x-x762-7383"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36519?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36516?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68454","GHSA-742x-x762-7383"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrmg-jky7-87cb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65934?format=json","vulnerability_id":"VCID-r47n-36pn-cbe4","summary":"Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07428","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409","reference_id":"ac7edf868c1a81fd9c4dc49d3b3edf1cce113409","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497","reference_id":"CVE-2026-25497","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497"},{"reference_url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-25497","GHSA-fxp3-g6gw-4r4v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r47n-36pn-cbe4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93536?format=json","vulnerability_id":"VCID-rezz-ka5s-hyg2","summary":"Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455","reference_id":"","reference_type":"","scores":[{"value":"0.0114","scoring_system":"epss","scoring_elements":"0.78828","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455"},{"reference_url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7","reference_id":"27f55886098b56c00ddc53b69239c9c9192252c7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"},{"reference_url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef","reference_id":"6e608a1a5bfb36943f94f584b7548ca542a86fef","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"CHANGELOG.md#5821---2025-12-04","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455","reference_id":"CVE-2025-68455","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455"},{"reference_url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593","reference_id":"ec43c497edde0b2bf2e39a119cded2e55f9fe593","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"},{"reference_url":"https://github.com/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36519?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36516?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68455","GHSA-255j-qw47-wjh5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rezz-ka5s-hyg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=json","vulnerability_id":"VCID-smdx-nfbs-2qbx","summary":"Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1628","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130"},{"reference_url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783","reference_id":"ebe7e85f1c89700d64332f72492be2e9a594e783","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"},{"reference_url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373534?format=json","purl":"pkg:composer/craftcms/cms@4.17.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9"},{"url":"http://public2.vulnerablecode.io/api/packages/373533?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41130","GHSA-95wr-3f2v-v2wh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143213?format=json","vulnerability_id":"VCID-tf8p-xrne-8qfg","summary":"Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32679","reference_id":"","reference_type":"","scores":[{"value":"0.06429","scoring_system":"epss","scoring_elements":"0.9126","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32679"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32679","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32679"},{"reference_url":"https://github.com/advisories/GHSA-vqxf-r9ph-cc9c","reference_id":"GHSA-vqxf-r9ph-cc9c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vqxf-r9ph-cc9c"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c","reference_id":"GHSA-vqxf-r9ph-cc9c","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-21T17:06:00Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vqxf-r9ph-cc9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381988?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-32679","GHSA-vqxf-r9ph-cc9c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tf8p-xrne-8qfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121029?format=json","vulnerability_id":"VCID-tfc8-rkdd-53f7","summary":"Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45622","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811"},{"reference_url":"https://github.com/craftcms/cms/pull/17612","reference_id":"17612","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/pull/17612"},{"reference_url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc","reference_id":"e77f8a287dcdda41f1724f525d03542f18566cbc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"},{"reference_url":"https://github.com/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377731?format=json","purl":"pkg:composer/craftcms/cms@4.16.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40131?format=json","purl":"pkg:composer/craftcms/cms@5.8.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7"}],"aliases":["CVE-2025-57811","GHSA-crcq-738g-pqvc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tfc8-rkdd-53f7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65908?format=json","vulnerability_id":"VCID-vrpf-parp-7kgr","summary":"Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498","reference_id":"","reference_type":"","scores":[{"value":"0.00368","scoring_system":"epss","scoring_elements":"0.59171","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748","reference_id":"395c64f0b80b507be1c862a2ec942eaacb353748","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498","reference_id":"CVE-2026-25498","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498"},{"reference_url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38971?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38960?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25498","GHSA-7jx7-3846-m7w7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vrpf-parp-7kgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/137261?format=json","vulnerability_id":"VCID-vvej-1fex-kqdn","summary":"Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31144","reference_id":"","reference_type":"","scores":[{"value":"0.00669","scoring_system":"epss","scoring_elements":"0.71787","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-31144"},{"reference_url":"https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/e2f7e7b7d86a0afa54ce855375d13c7760670764"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31144","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31144"},{"reference_url":"https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442","reference_id":"52bd161614620edbab2d24d078ca9ebca2528442","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-28T16:40:35Z/"}],"url":"https://github.com/craftcms/cms/commit/52bd161614620edbab2d24d078ca9ebca2528442"},{"reference_url":"https://github.com/advisories/GHSA-j4mx-98hw-6rv6","reference_id":"GHSA-j4mx-98hw-6rv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j4mx-98hw-6rv6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6","reference_id":"GHSA-j4mx-98hw-6rv6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-28T16:40:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-j4mx-98hw-6rv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382053?format=json","purl":"pkg:composer/craftcms/cms@4.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9fqv-dg3y-wbbf"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-ad7v-5hxr-s3a4"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h3za-7cd7-vkav"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tf8p-xrne-8qfg"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.4"}],"aliases":["CVE-2023-31144","GHSA-j4mx-98hw-6rv6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vvej-1fex-kqdn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49227?format=json","vulnerability_id":"VCID-wcsx-j8xk-r7c7","summary":"Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21622","reference_id":"","reference_type":"","scores":[{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.2763","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21622"},{"reference_url":"https://github.com/craftcms/cms/pull/13931","reference_id":"13931","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/pull/13931"},{"reference_url":"https://github.com/craftcms/cms/pull/13932","reference_id":"13932","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/pull/13932"},{"reference_url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa","reference_id":"76caf9af07d9964be0fd362772223be6a5f5b6aa","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"},{"reference_url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843","reference_id":"be81eb653d633833f2ab22510794abb6bb9c0843","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"},{"reference_url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16","reference_id":"CHANGELOG.md#396---2023-11-16","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16","reference_id":"CHANGELOG.md#4511---2023-11-16","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622","reference_id":"CVE-2024-21622","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622"},{"reference_url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28261?format=json","purl":"pkg:composer/craftcms/cms@4.5.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11"}],"aliases":["CVE-2024-21622","GHSA-j5g9-j7r4-6qvx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wcsx-j8xk-r7c7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93221?format=json","vulnerability_id":"VCID-wnr9-2wyr-wug4","summary":"Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11692","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436"},{"reference_url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","reference_id":"4bcb0db554e273b66ce3b75263a13414c2368fc9","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436","reference_id":"CVE-2025-68436","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436"},{"reference_url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36519?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/36516?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68436","GHSA-53vf-c43h-j2x9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wnr9-2wyr-wug4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42210?format=json","vulnerability_id":"VCID-x12b-mjr9-sba2","summary":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"0.93926","scoring_system":"epss","scoring_elements":"0.99888","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145"},{"reference_url":"https://github.com/Chocapikk/CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Chocapikk/CVE-2024-56145"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145"},{"reference_url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3","reference_id":"82e893fb794d30563da296bca31379c0df0079b3","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3"},{"reference_url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372511?format=json","purl":"pkg:composer/craftcms/cms@4.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372510?format=json","purl":"pkg:composer/craftcms/cms@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qr5e-wjjt-zudz"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-uxc7-pe63-2khp"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2"}],"aliases":["CVE-2024-56145","GHSA-2p6p-9rc9-62j9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x12b-mjr9-sba2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69404?format=json","vulnerability_id":"VCID-x1w2-ytck-17bn","summary":"Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06182","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"18208","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784","reference_id":"CVE-2026-28784","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784"},{"reference_url":"https://github.com/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc86-q28f-ggww"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"securing-craft#set-allowAdminChanges-to-false-in-production","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38982?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/38984?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-ayrf-rfwj-37bf"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28784","GHSA-qc86-q28f-ggww"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1w2-ytck-17bn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65892?format=json","vulnerability_id":"VCID-y2ya-ys74-vqbv","summary":"Craft is a platform for creating digital experiences.  In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05818","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"5.8.22","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494","reference_id":"CVE-2026-25494","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494"},{"reference_url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2","reference_id":"d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2"},{"reference_url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38971?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38960?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-1c7e-bv58-33ax"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-6bwp-2ksu-xucy"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-7mph-yq7h-5yb8"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9yzy-78sh-xydu"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-bsh8-7q16-t7e4"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-tte6-fheg-g7hg"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25494","GHSA-m5r2-8p9x-hp5m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y2ya-ys74-vqbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=json","vulnerability_id":"VCID-yc89-41eq-b3eh","summary":"Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12316","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262"},{"reference_url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11","reference_id":"c997efbe4c66c14092714233aeebff15cdbfcf11","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11"},{"reference_url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374750?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/374751?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-h9fr-63qv-bffn"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-sswc-d2f8-zyc9"},{"vulnerability":"VCID-up4q-hz23-vkcn"},{"vulnerability":"VCID-vj1t-r17b-rufc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32262","GHSA-472v-j2g4-g9h2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/130319?format=json","vulnerability_id":"VCID-t37k-f7k1-gyhz","summary":"Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23927","reference_id":"","reference_type":"","scores":[{"value":"0.02749","scoring_system":"epss","scoring_elements":"0.8632","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23927"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23927","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23927"},{"reference_url":"https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4","reference_id":"215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03","reference_id":"CHANGELOG.md#437---2023-02-03","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03"},{"reference_url":"https://github.com/advisories/GHSA-qcrj-6ffc-v7hq","reference_id":"GHSA-qcrj-6ffc-v7hq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcrj-6ffc-v7hq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq","reference_id":"GHSA-qcrj-6ffc-v7hq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/380973?format=json","purl":"pkg:composer/craftcms/cms@3.7.64","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-9fqv-dg3y-wbbf"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-ad7v-5hxr-s3a4"},{"vulnerability":"VCID-aujg-14fc-1qeb"},{"vulnerability":"VCID-cneu-aazx-byfq"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e4ep-2ng5-1kbm"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-t37k-f7k1-gyhz"},{"vulnerability":"VCID-vvej-1fex-kqdn"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-x12b-mjr9-sba2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.7.64"},{"url":"http://public2.vulnerablecode.io/api/packages/380972?format=json","purl":"pkg:composer/craftcms/cms@4.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12yx-3kck-s7dp"},{"vulnerability":"VCID-16h7-f3pe-8qh8"},{"vulnerability":"VCID-25ym-rhky-wbaq"},{"vulnerability":"VCID-543c-646v-4yfj"},{"vulnerability":"VCID-5qkr-aqmx-8qau"},{"vulnerability":"VCID-5r6n-351z-2ybh"},{"vulnerability":"VCID-726q-jfsa-9qdz"},{"vulnerability":"VCID-76k8-sveq-3qbf"},{"vulnerability":"VCID-8kdh-rvh3-4yfv"},{"vulnerability":"VCID-8m8v-ymqs-fkh9"},{"vulnerability":"VCID-8rkv-wfha-n7hb"},{"vulnerability":"VCID-9fqv-dg3y-wbbf"},{"vulnerability":"VCID-9krv-seyq-juez"},{"vulnerability":"VCID-9yny-vu36-tyes"},{"vulnerability":"VCID-a9bc-cgqq-jkfh"},{"vulnerability":"VCID-ad7v-5hxr-s3a4"},{"vulnerability":"VCID-b25s-j3du-sfg5"},{"vulnerability":"VCID-bn85-sts4-5ygq"},{"vulnerability":"VCID-br1f-q8nk-v7b3"},{"vulnerability":"VCID-c38g-6ttm-yuep"},{"vulnerability":"VCID-cneu-aazx-byfq"},{"vulnerability":"VCID-czuy-m8wp-fka2"},{"vulnerability":"VCID-e3k3-fp6t-kycw"},{"vulnerability":"VCID-e9qn-ar3q-g3e4"},{"vulnerability":"VCID-eypa-1c6q-tfau"},{"vulnerability":"VCID-fs3m-av1v-fuf1"},{"vulnerability":"VCID-g637-7ns6-kyhj"},{"vulnerability":"VCID-gjvb-ht1w-s3hm"},{"vulnerability":"VCID-gp2d-vv3n-euda"},{"vulnerability":"VCID-grmm-88sf-wyd4"},{"vulnerability":"VCID-h3za-7cd7-vkav"},{"vulnerability":"VCID-hh13-6e1x-p7ez"},{"vulnerability":"VCID-htqk-ckr5-jbcu"},{"vulnerability":"VCID-j1d4-j44f-yqh9"},{"vulnerability":"VCID-j6wk-k1jb-jfd5"},{"vulnerability":"VCID-j8qq-yre6-4bfx"},{"vulnerability":"VCID-kb3b-8hqt-nqfj"},{"vulnerability":"VCID-mhqg-hey8-6bee"},{"vulnerability":"VCID-nep2-e16y-9yg4"},{"vulnerability":"VCID-nhab-uyen-ayhq"},{"vulnerability":"VCID-p8kk-e27s-n7cs"},{"vulnerability":"VCID-pfwt-hxpb-4ub8"},{"vulnerability":"VCID-py3b-5ps7-7fe3"},{"vulnerability":"VCID-qmcc-3ued-m7gk"},{"vulnerability":"VCID-qrmg-jky7-87cb"},{"vulnerability":"VCID-r47n-36pn-cbe4"},{"vulnerability":"VCID-rezz-ka5s-hyg2"},{"vulnerability":"VCID-smdx-nfbs-2qbx"},{"vulnerability":"VCID-tf8p-xrne-8qfg"},{"vulnerability":"VCID-tfc8-rkdd-53f7"},{"vulnerability":"VCID-vrpf-parp-7kgr"},{"vulnerability":"VCID-vvej-1fex-kqdn"},{"vulnerability":"VCID-wcsx-j8xk-r7c7"},{"vulnerability":"VCID-wnr9-2wyr-wug4"},{"vulnerability":"VCID-x12b-mjr9-sba2"},{"vulnerability":"VCID-x1w2-ytck-17bn"},{"vulnerability":"VCID-y2ya-ys74-vqbv"},{"vulnerability":"VCID-yc89-41eq-b3eh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7"}],"aliases":["CVE-2023-23927","GHSA-qcrj-6ffc-v7hq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t37k-f7k1-gyhz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7"}