Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/40449?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/40449?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "4.17.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.17.12", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77659?format=api", "vulnerability_id": "VCID-25ym-rhky-wbaq", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13059", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25ym-rhky-wbaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360185?format=api", "vulnerability_id": "VCID-5qkr-aqmx-8qau", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5qkr-aqmx-8qau" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/76900?format=api", "vulnerability_id": "VCID-5r6n-351z-2ybh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15346", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264" }, { "reference_url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_id": "78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70" }, { "reference_url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620", "reference_id": "dfec46362fcb40b330ce8a4d8136446e65085620", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620" }, { "reference_url": "https://github.com/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32264", "GHSA-4484-8v2f-5748" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5r6n-351z-2ybh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77152?format=api", "vulnerability_id": "VCID-e3k3-fp6t-kycw", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14683", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267" }, { "reference_url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "reference_id": "6301e217c5f15617d939c432cb770db50af14b33", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33" }, { "reference_url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374515?format=api", "purl": "pkg:composer/craftcms/cms@4.17.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/374516?format=api", "purl": "pkg:composer/craftcms/cms@5.9.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12" } ], "aliases": [ "CVE-2026-32267", "GHSA-cc7p-2j3x-x7xf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e3k3-fp6t-kycw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81009?format=api", "vulnerability_id": "VCID-gp2d-vv3n-euda", "summary": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13041", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373534?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gp2d-vv3n-euda" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67999?format=api", "vulnerability_id": "VCID-j1d4-j44f-yqh9", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02819", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44010" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44010" }, { "reference_url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_id": "834b2cf61ad0dcee9b03add44ed402ebf18db128", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128" }, { "reference_url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj2p-p9m4-c8gw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw", "reference_id": "GHSA-gj2p-p9m4-c8gw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376014?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44010", "GHSA-gj2p-p9m4-c8gw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j1d4-j44f-yqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77888?format=api", "vulnerability_id": "VCID-j6wk-k1jb-jfd5", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03998", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j6wk-k1jb-jfd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67887?format=api", "vulnerability_id": "VCID-j8qq-yre6-4bfx", "summary": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06356", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44011" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011" }, { "reference_url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_id": "ab85ca7f5f926994f723f60584054a1f4c4c5de3", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qrgm-p9w5-rrfw" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw", "reference_id": "GHSA-qrgm-p9w5-rrfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376014?format=api", "purl": "pkg:composer/craftcms/cms@4.17.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/376015?format=api", "purl": "pkg:composer/craftcms/cms@5.9.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18" } ], "aliases": [ "CVE-2026-44011", "GHSA-qrgm-p9w5-rrfw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j8qq-yre6-4bfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77955?format=api", "vulnerability_id": "VCID-nep2-e16y-9yg4", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06602", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "7f0ead833f7c2b91ae12003caad833479dd08592", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nep2-e16y-9yg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77697?format=api", "vulnerability_id": "VCID-py3b-5ps7-7fe3", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03898", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "4.17.8", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "5.9.14", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374878?format=api", "purl": "pkg:composer/craftcms/cms@4.17.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/374877?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-py3b-5ps7-7fe3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81021?format=api", "vulnerability_id": "VCID-smdx-nfbs-2qbx", "summary": "Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1628", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373534?format=api", "purl": "pkg:composer/craftcms/cms@4.17.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/373533?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-smdx-nfbs-2qbx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/77578?format=api", "vulnerability_id": "VCID-yc89-41eq-b3eh", "summary": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12316", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262" }, { "reference_url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_id": "c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11" }, { "reference_url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374750?format=api", "purl": "pkg:composer/craftcms/cms@4.17.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/374751?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32262", "GHSA-472v-j2g4-g9h2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yc89-41eq-b3eh" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71374?format=api", "vulnerability_id": "VCID-8rkv-wfha-n7hb", "summary": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33522", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857" }, { "reference_url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "reference_id": "8d4903647dcfd31b8d40ed027e27082013347a80", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857", "reference_id": "CVE-2026-31857", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857" }, { "reference_url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40449?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/40681?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31857", "GHSA-fp5j-j7j4-mcxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8rkv-wfha-n7hb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74141?format=api", "vulnerability_id": "VCID-bn85-sts4-5ygq", "summary": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00691", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113" }, { "reference_url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_id": "6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113", "reference_id": "CVE-2026-29113", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113" }, { "reference_url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40449?format=api", "purl": "pkg:composer/craftcms/cms@4.17.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/40451?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25ym-rhky-wbaq" }, { "vulnerability": "VCID-5qkr-aqmx-8qau" }, { "vulnerability": "VCID-5r6n-351z-2ybh" }, { "vulnerability": "VCID-6bwp-2ksu-xucy" }, { "vulnerability": "VCID-8rkv-wfha-n7hb" }, { "vulnerability": "VCID-ayrf-rfwj-37bf" }, { "vulnerability": "VCID-e3k3-fp6t-kycw" }, { "vulnerability": "VCID-gp2d-vv3n-euda" }, { "vulnerability": "VCID-h9fr-63qv-bffn" }, { "vulnerability": "VCID-j1d4-j44f-yqh9" }, { "vulnerability": "VCID-j6wk-k1jb-jfd5" }, { "vulnerability": "VCID-j8qq-yre6-4bfx" }, { "vulnerability": "VCID-nep2-e16y-9yg4" }, { "vulnerability": "VCID-py3b-5ps7-7fe3" }, { "vulnerability": "VCID-smdx-nfbs-2qbx" }, { "vulnerability": "VCID-sswc-d2f8-zyc9" }, { "vulnerability": "VCID-tte6-fheg-g7hg" }, { "vulnerability": "VCID-up4q-hz23-vkcn" }, { "vulnerability": "VCID-vj1t-r17b-rufc" }, { "vulnerability": "VCID-yc89-41eq-b3eh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-29113", "GHSA-vg3j-hpm9-8v5v" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bn85-sts4-5ygq" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4" }