{"url":"http://public2.vulnerablecode.io/api/packages/64081?format=json","purl":"pkg:composer/craftcms/cms@4.0.0-RC1","type":"composer","namespace":"craftcms","name":"cms","version":"4.0.0-RC1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.2.1","latest_non_vulnerable_version":"5.9.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17699?format=json","vulnerability_id":"VCID-27rw-tqt8-b3cw","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nA post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2817","reference_id":"","reference_type":"","scores":[{"value":"0.00339","scoring_system":"epss","scoring_elements":"0.56911","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-2817"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/"}],"url":"https://github.com/craftcms/cms/commit/7655e1009ba6cdbfb230e6bb138b775b69fc7bcb"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tenable.com/security/research/tra-2023-20"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20,","reference_id":"","reference_type":"","scores":[],"url":"https://www.tenable.com/security/research/tra-2023-20,"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2817","reference_id":"CVE-2023-2817","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2817"},{"reference_url":"https://github.com/advisories/GHSA-7x94-jx75-3gh6","reference_id":"GHSA-7x94-jx75-3gh6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x94-jx75-3gh6"},{"reference_url":"https://www.tenable.com/security/research/tra-2023-20%2C","reference_id":"tra-2023-20%2C","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-15T15:47:46Z/"}],"url":"https://www.tenable.com/security/research/tra-2023-20%2C"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64068?format=json","purl":"pkg:composer/craftcms/cms@4.4.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.12"}],"aliases":["CVE-2023-2817","GHSA-7x94-jx75-3gh6"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-27rw-tqt8-b3cw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21983?format=json","vulnerability_id":"VCID-2re8-4twc-eqez","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454","reference_id":"","reference_type":"","scores":[{"value":"0.00648","scoring_system":"epss","scoring_elements":"0.7112","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454","reference_id":"CVE-2025-68454","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454"},{"reference_url":"https://github.com/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-742x-x762-7383"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71964?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/71963?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-76vz-cxx8-z7fc"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"},{"vulnerability":"VCID-w35e-5gaq-y3aw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68454","GHSA-742x-x762-7383"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2re8-4twc-eqez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/300857?format=json","vulnerability_id":"VCID-33wy-gw8z-gud7","summary":"","references":[{"reference_url":"http://github.com/craftcms/cms/pull/17026","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/craftcms/cms/pull/17026"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731","reference_id":"","reference_type":"","scores":[{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76153","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731"},{"reference_url":"https://github.com/advisories/GHSA-7c58-g782-9j38","reference_id":"GHSA-7c58-g782-9j38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7c58-g782-9j38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196197?format=json","purl":"pkg:composer/craftcms/cms@4.14.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.13"},{"url":"http://public2.vulnerablecode.io/api/packages/196198?format=json","purl":"pkg:composer/craftcms/cms@5.6.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15"}],"aliases":["CVE-2025-46731","GHSA-7c58-g782-9j38"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-33wy-gw8z-gud7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/328595?format=json","vulnerability_id":"VCID-3u81-kkt8-j7e7","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02764","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158"},{"reference_url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190219?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/190216?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33158","GHSA-3pvf-vxrv-hh9c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3u81-kkt8-j7e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201944?format=json","vulnerability_id":"VCID-46sq-495d-fkay","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37247","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37247"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.7.55.2/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/3.7.55.2/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/commit/cedeba0609e4b173cd584dae7f33c5f713f19627","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/cedeba0609e4b173cd584dae7f33c5f713f19627"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37247","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://labs.integrity.pt/advisories/cve-2022-37247"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37247/","reference_id":"CVE-2022-37247","reference_type":"","scores":[],"url":"https://labs.integrity.pt/advisories/cve-2022-37247/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37247","reference_id":"CVE-2022-37247","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37247"},{"reference_url":"https://github.com/advisories/GHSA-3cvm-7wrh-qrf9","reference_id":"GHSA-3cvm-7wrh-qrf9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cvm-7wrh-qrf9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79211?format=json","purl":"pkg:composer/craftcms/cms@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.2.1"}],"aliases":["CVE-2022-37247","GHSA-3cvm-7wrh-qrf9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-46sq-495d-fkay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22949?format=json","vulnerability_id":"VCID-4zfr-4pgf-zke4","summary":"Craft CMS Vulnerable to Authenticated RCE via \"craft.app.fs.write()\" in Twig Templates\nAn authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697","reference_id":"","reference_type":"","scores":[{"value":"0.00208","scoring_system":"epss","scoring_elements":"0.43203","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197"},{"reference_url":"https://github.com/craftcms/cms/pull/18216","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18216"},{"reference_url":"https://github.com/craftcms/cms/pull/18219","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18219"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697","reference_id":"CVE-2026-28697","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697"},{"reference_url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28697","GHSA-v47q-jxvr-p68x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4zfr-4pgf-zke4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22482?format=json","vulnerability_id":"VCID-51qg-ehr3-3qeu","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation\nThe `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05224","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494","reference_id":"CVE-2026-25494","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494"},{"reference_url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72741?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/72740?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25494","GHSA-m5r2-8p9x-hp5m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-51qg-ehr3-3qeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21982?format=json","vulnerability_id":"VCID-5h4n-14xc-uuf6","summary":"Craft CMS vulnerable to potential information disclosure via unchecked asset relocation\nAuthenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\n Resources:\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17789","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436","reference_id":"CVE-2025-68436","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436"},{"reference_url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71964?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/71963?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-76vz-cxx8-z7fc"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"},{"vulnerability":"VCID-w35e-5gaq-y3aw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68436","GHSA-53vf-c43h-j2x9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5h4n-14xc-uuf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18313?format=json","vulnerability_id":"VCID-5h73-3z9j-xqb8","summary":"Craft CMS vulnerable to Remote Code Execution via validatePath bypass\nBypassing the validatePath function can lead to potential Remote Code Execution\n(Post-authentication, ALLOW_ADMIN_CHANGES=true)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40035","reference_id":"","reference_type":"","scores":[{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54241","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40035"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/3.8.15","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/3.8.15"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.15","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.15"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035","reference_id":"CVE-2023-40035","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035"},{"reference_url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T20:33:49Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65436?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-40035","GHSA-44wr-rmwq-3phw"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5h73-3z9j-xqb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23197?format=json","vulnerability_id":"VCID-68jz-k8d5-u7dk","summary":"Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`.  The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00696","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113","reference_id":"CVE-2026-29113","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113"},{"reference_url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73373?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-xysn-pqxv-hyds"},{"vulnerability":"VCID-zebb-ngev-a7de"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/73374?format=json","purl":"pkg:composer/craftcms/cms@5.9.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7"}],"aliases":["CVE-2026-29113","GHSA-vg3j-hpm9-8v5v"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-68jz-k8d5-u7dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21991?format=json","vulnerability_id":"VCID-6epu-syvm-d3ed","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455","reference_id":"","reference_type":"","scores":[{"value":"0.01513","scoring_system":"epss","scoring_elements":"0.81517","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"},{"reference_url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"},{"reference_url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455","reference_id":"CVE-2025-68455","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455"},{"reference_url":"https://github.com/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71964?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/71963?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-51qg-ehr3-3qeu"},{"vulnerability":"VCID-76vz-cxx8-z7fc"},{"vulnerability":"VCID-7b71-dsva-cfan"},{"vulnerability":"VCID-jy6d-5zfh-7ycp"},{"vulnerability":"VCID-u3cv-q3ft-qkhj"},{"vulnerability":"VCID-uzyt-dujv-nqh6"},{"vulnerability":"VCID-w35e-5gaq-y3aw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68455","GHSA-255j-qw47-wjh5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6epu-syvm-d3ed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22483?format=json","vulnerability_id":"VCID-7b71-dsva-cfan","summary":"Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06771","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496","reference_id":"CVE-2026-25496","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496"},{"reference_url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72741?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/72740?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25496","GHSA-9f5h-mmq6-2x78"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7b71-dsva-cfan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17700?format=json","vulnerability_id":"VCID-82fq-7xbq-pkd4","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33197","reference_id":"","reference_type":"","scores":[{"value":"0.00588","scoring_system":"epss","scoring_elements":"0.69458","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33197"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.6","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33197","reference_id":"CVE-2023-33197","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33197"},{"reference_url":"https://github.com/advisories/GHSA-6qjx-787v-6pxr","reference_id":"GHSA-6qjx-787v-6pxr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qjx-787v-6pxr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr","reference_id":"GHSA-6qjx-787v-6pxr","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:32:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6qjx-787v-6pxr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63980?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-upnk-thub-2fg1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-33197","GHSA-6qjx-787v-6pxr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-82fq-7xbq-pkd4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16992?format=json","vulnerability_id":"VCID-bhy3-udjf-ykez","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23927","reference_id":"","reference_type":"","scores":[{"value":"0.02749","scoring_system":"epss","scoring_elements":"0.86251","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23927"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#437---2023-02-03"},{"reference_url":"https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23927","reference_id":"CVE-2023-23927","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23927"},{"reference_url":"https://github.com/advisories/GHSA-qcrj-6ffc-v7hq","reference_id":"GHSA-qcrj-6ffc-v7hq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcrj-6ffc-v7hq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq","reference_id":"GHSA-qcrj-6ffc-v7hq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:30:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qcrj-6ffc-v7hq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62937?format=json","purl":"pkg:composer/craftcms/cms@4.3.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.3.7"}],"aliases":["CVE-2023-23927","GHSA-qcrj-6ffc-v7hq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bhy3-udjf-ykez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22485?format=json","vulnerability_id":"VCID-ccwe-z8nr-3qhq","summary":"Craft CMS: GraphQL Asset Mutation Privilege Escalation\nType: Privilege Escalation (CWE-269)\nAffected: Craft CMS 5.x (likely affects 4.x and 3.x as well)\nLocation: `src/gql/resolvers/mutations/Asset.php lines 57-107`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06328","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497","reference_id":"CVE-2026-25497","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497"},{"reference_url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-25497","GHSA-fxp3-g6gw-4r4v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ccwe-z8nr-3qhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23049?format=json","vulnerability_id":"VCID-ch5h-xzgt-6kgs","summary":"Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12972","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782","reference_id":"CVE-2026-28782","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782"},{"reference_url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28782","GHSA-jxm3-pmm2-9gf6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ch5h-xzgt-6kgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22952?format=json","vulnerability_id":"VCID-ejv9-c3hf-jfax","summary":"Craft CMS has Twig Function Blocklist Bypass\nCraft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.\n\nIn order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.\n\nSeveral PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.\n\nTwig has already deprecated this behavior, and it will eventually be removed from Twig altogether.\n\nhttps://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096\n\nThis has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.\n\nExisting projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11162","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783","reference_id":"CVE-2026-28783","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783"},{"reference_url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28783","GHSA-5fvc-7894-ghp4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ejv9-c3hf-jfax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201943?format=json","vulnerability_id":"VCID-hn1f-f29s-g3bj","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37246","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37246"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a8a980c7b6fc52fb93b679b","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T16:32:42Z/"}],"url":"https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a8a980c7b6fc52fb93b679b"},{"reference_url":"https://github.com/craftcms/cms/commit/ecefe7f0afe0a6c4d1097a570cba82753d33f681","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/ecefe7f0afe0a6c4d1097a570cba82753d33f681"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37246","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://labs.integrity.pt/advisories/cve-2022-37246"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37246/","reference_id":"CVE-2022-37246","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-27T16:32:42Z/"}],"url":"https://labs.integrity.pt/advisories/cve-2022-37246/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37246","reference_id":"CVE-2022-37246","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37246"},{"reference_url":"https://github.com/advisories/GHSA-f546-v666-559x","reference_id":"GHSA-f546-v666-559x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f546-v666-559x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79211?format=json","purl":"pkg:composer/craftcms/cms@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.2.1"}],"aliases":["CVE-2022-37246","GHSA-f546-v666-559x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hn1f-f29s-g3bj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23020?format=json","vulnerability_id":"VCID-j9n2-1u2k-ckc5","summary":"Craft CMS has potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/pull/18208","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0631","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784","reference_id":"CVE-2026-28784","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784"},{"reference_url":"https://github.com/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc86-q28f-ggww"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28784","GHSA-qc86-q28f-ggww"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j9n2-1u2k-ckc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/307843?format=json","vulnerability_id":"VCID-jxub-yja7-2qhf","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45524","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"},{"reference_url":"https://github.com/craftcms/cms/pull/17612","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/pull/17612"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811"},{"reference_url":"https://github.com/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-crcq-738g-pqvc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/194978?format=json","purl":"pkg:composer/craftcms/cms@4.16.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6"},{"url":"http://public2.vulnerablecode.io/api/packages/73199?format=json","purl":"pkg:composer/craftcms/cms@5.8.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mytj-88ea-73d9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7"}],"aliases":["CVE-2025-57811","GHSA-crcq-738g-pqvc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxub-yja7-2qhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22478?format=json","vulnerability_id":"VCID-jy6d-5zfh-7ycp","summary":"Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54864","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498","reference_id":"CVE-2026-25498","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498"},{"reference_url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72741?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/72740?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25498","GHSA-7jx7-3846-m7w7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jy6d-5zfh-7ycp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201946?format=json","vulnerability_id":"VCID-kb8h-6rmc-wka1","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37250","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37250"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.7.55.1/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/3.7.55.1/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09"},{"reference_url":"https://github.com/craftcms/cms/commit/cdc9cb66d0716c9552e4113c8e426fd1a31f9516","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-03T18:03:29Z/"}],"url":"https://github.com/craftcms/cms/commit/cdc9cb66d0716c9552e4113c8e426fd1a31f9516"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37250","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://labs.integrity.pt/advisories/cve-2022-37250"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37250/","reference_id":"CVE-2022-37250","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-03T18:03:29Z/"}],"url":"https://labs.integrity.pt/advisories/cve-2022-37250/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37250","reference_id":"CVE-2022-37250","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37250"},{"reference_url":"https://github.com/advisories/GHSA-8r89-x93x-mjq2","reference_id":"GHSA-8r89-x93x-mjq2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8r89-x93x-mjq2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79211?format=json","purl":"pkg:composer/craftcms/cms@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.2.1"}],"aliases":["CVE-2022-37250","GHSA-8r89-x93x-mjq2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kb8h-6rmc-wka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17702?format=json","vulnerability_id":"VCID-kts7-xtbb-tqgy","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33194","reference_id":"","reference_type":"","scores":[{"value":"0.00062","scoring_system":"epss","scoring_elements":"0.19536","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33194"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.6","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33194","reference_id":"CVE-2023-33194","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33194"},{"reference_url":"https://github.com/advisories/GHSA-3wxg-w96j-8hq9","reference_id":"GHSA-3wxg-w96j-8hq9","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3wxg-w96j-8hq9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9","reference_id":"GHSA-3wxg-w96j-8hq9","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:25:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3wxg-w96j-8hq9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63980?format=json","purl":"pkg:composer/craftcms/cms@4.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-upnk-thub-2fg1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.6"}],"aliases":["CVE-2023-33194","GHSA-3wxg-w96j-8hq9"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kts7-xtbb-tqgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23019?format=json","vulnerability_id":"VCID-m28c-yq43-a7cq","summary":"Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options\nStored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2"},{"reference_url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276"},{"reference_url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["GHSA-4mgv-366x-qxvx"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m28c-yq43-a7cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/328596?format=json","vulnerability_id":"VCID-mfvj-g7bk-h3hw","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08817","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159"},{"reference_url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190219?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/190216?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33159","GHSA-6mrr-q3pj-h53w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mfvj-g7bk-h3hw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22994?format=json","vulnerability_id":"VCID-mytj-88ea-73d9","summary":"Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget\nThere is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.\n\nThis bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28695","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08324","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28695"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695","reference_id":"CVE-2026-28695","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695"},{"reference_url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:03:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28695","GHSA-94rc-cqvm-m4pw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mytj-88ea-73d9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/286926?format=json","vulnerability_id":"VCID-n648-rgev-bydr","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"0.1639","scoring_system":"epss","scoring_elements":"0.9498","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"},{"reference_url":"https://github.com/advisories/GHSA-x684-96hh-833x","reference_id":"GHSA-x684-96hh-833x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x684-96hh-833x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/193935?format=json","purl":"pkg:composer/craftcms/cms@4.13.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zbrb-dmub-67as"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.8"},{"url":"http://public2.vulnerablecode.io/api/packages/193934?format=json","purl":"pkg:composer/craftcms/cms@5.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zbrb-dmub-67as"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8"}],"aliases":["CVE-2025-23209","GHSA-x684-96hh-833x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n648-rgev-bydr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18431?format=json","vulnerability_id":"VCID-p9a4-4g1n-7qf4","summary":"Improper Control of Generation of Code ('Code Injection')\nCraft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","references":[{"reference_url":"http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41892","reference_id":"","reference_type":"","scores":[{"value":"0.93942","scoring_system":"epss","scoring_elements":"0.99889","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41892"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857"},{"reference_url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892","reference_id":"CVE-2023-41892","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892"},{"reference_url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65436?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-41892","GHSA-4w8r-3xrw-v25g"],"risk_score":1.6,"exploitability":"2.0","weighted_severity":"0.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p9a4-4g1n-7qf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/328597?format=json","vulnerability_id":"VCID-q1jg-5qq3-zkbv","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03755","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e","reference_id":"7290d91639e","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e"},{"reference_url":"https://github.com/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5pgf-h923-m958"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190219?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/190216?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33160","GHSA-5pgf-h923-m958"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q1jg-5qq3-zkbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/328598?format=json","vulnerability_id":"VCID-rnze-pnhe-abh4","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11073","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161"},{"reference_url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190219?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/190216?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33161","GHSA-vgjg-248p-rfm2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rnze-pnhe-abh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/327894?format=json","vulnerability_id":"VCID-rrce-ncgp-qbcg","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14645","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267"},{"reference_url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/189603?format=json","purl":"pkg:composer/craftcms/cms@4.17.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.6"},{"url":"http://public2.vulnerablecode.io/api/packages/189604?format=json","purl":"pkg:composer/craftcms/cms@5.9.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gxan-r3pw-7uhw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12"}],"aliases":["CVE-2026-32267","GHSA-cc7p-2j3x-x7xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrce-ncgp-qbcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/269696?format=json","vulnerability_id":"VCID-tshq-ktbd-juak","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31765","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291"},{"reference_url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"GHSA-jrh5-vhr9-qh7q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187871?format=json","purl":"pkg:composer/craftcms/cms@4.12.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.5"},{"url":"http://public2.vulnerablecode.io/api/packages/187870?format=json","purl":"pkg:composer/craftcms/cms@5.4.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6"}],"aliases":["CVE-2024-52291","GHSA-jrh5-vhr9-qh7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tshq-ktbd-juak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/332441?format=json","vulnerability_id":"VCID-ttgr-49ur-z7aa","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16245","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130"},{"reference_url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188589?format=json","purl":"pkg:composer/craftcms/cms@4.17.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9"},{"url":"http://public2.vulnerablecode.io/api/packages/188588?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41130","GHSA-95wr-3f2v-v2wh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ttgr-49ur-z7aa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22490?format=json","vulnerability_id":"VCID-u3cv-q3ft-qkhj","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect\nThe `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05224","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493","reference_id":"CVE-2026-25493","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493"},{"reference_url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72741?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/72740?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25493","GHSA-8jr8-7hr4-vhfx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u3cv-q3ft-qkhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17706?format=json","vulnerability_id":"VCID-upnk-thub-2fg1","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33196","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26402","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33196"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.7","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.4.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196","reference_id":"CVE-2023-33196","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196"},{"reference_url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:29:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64082?format=json","purl":"pkg:composer/craftcms/cms@4.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7"}],"aliases":["CVE-2023-33196","GHSA-cjmm-x9x9-m2w5"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-upnk-thub-2fg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22481?format=json","vulnerability_id":"VCID-uzyt-dujv-nqh6","summary":"Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`\nThe `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.\nAn attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).\n\n> [!NOTE]\n> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03273","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495","reference_id":"CVE-2026-25495","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495"},{"reference_url":"https://github.com/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72741?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/72740?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-efkn-13cf-97c3"},{"vulnerability":"VCID-g17s-3ghd-5fhm"},{"vulnerability":"VCID-ntx4-ssgk-jqgh"},{"vulnerability":"VCID-s9mh-xu8b-fqgf"},{"vulnerability":"VCID-ukq9-ggdc-byf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25495","GHSA-2453-mppf-46cj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzyt-dujv-nqh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23040?format=json","vulnerability_id":"VCID-vg28-8erb-27ae","summary":"Craft CMS: Entries Authorship Spoofing via Mass Assignment\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16098","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"},{"reference_url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781","reference_id":"CVE-2026-28781","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781"},{"reference_url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28781","GHSA-2xfc-g69j-x2mp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vg28-8erb-27ae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201947?format=json","vulnerability_id":"VCID-vwm6-qumh-ayd2","summary":"","references":[{"reference_url":"http://craft.com","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://craft.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37251","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37251"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09"},{"reference_url":"https://github.com/craftcms/cms/commit/7139213dbd9e177a3528aac8e2db8de91830f118","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7139213dbd9e177a3528aac8e2db8de91830f118"},{"reference_url":"https://github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903"},{"reference_url":"https://github.com/craftcms/cms/commit/f0d9b8a1e3ac005a2418f7d3d9059b49a96e73ea","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/f0d9b8a1e3ac005a2418f7d3d9059b49a96e73ea"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37251","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://labs.integrity.pt/advisories/cve-2022-37251"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37251/","reference_id":"CVE-2022-37251","reference_type":"","scores":[],"url":"https://labs.integrity.pt/advisories/cve-2022-37251/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37251","reference_id":"CVE-2022-37251","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37251"},{"reference_url":"https://github.com/advisories/GHSA-mw37-wx8p-gp45","reference_id":"GHSA-mw37-wx8p-gp45","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mw37-wx8p-gp45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79211?format=json","purl":"pkg:composer/craftcms/cms@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.2.1"}],"aliases":["CVE-2022-37251","GHSA-mw37-wx8p-gp45"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vwm6-qumh-ayd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/294186?format=json","vulnerability_id":"VCID-w9cn-xgye-jber","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"0.92897","scoring_system":"epss","scoring_elements":"0.99778","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432"},{"reference_url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432"},{"reference_url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py","reference_id":"CVE-2025-32432","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/193371?format=json","purl":"pkg:composer/craftcms/cms@4.14.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15"},{"url":"http://public2.vulnerablecode.io/api/packages/193372?format=json","purl":"pkg:composer/craftcms/cms@5.6.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17"}],"aliases":["CVE-2025-32432","GHSA-f3gw-9ww9-jmc3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w9cn-xgye-jber"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/346941?format=json","vulnerability_id":"VCID-whnf-tybt-qqbf","summary":"Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq"},{"reference_url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq","reference_id":"GHSA-44px-qjjc-xrhq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/190219?format=json","purl":"pkg:composer/craftcms/cms@4.17.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.8"},{"url":"http://public2.vulnerablecode.io/api/packages/190216?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ttgr-49ur-z7aa"},{"vulnerability":"VCID-xpq3-v9ts-x7es"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["GHSA-44px-qjjc-xrhq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-whnf-tybt-qqbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/269698?format=json","vulnerability_id":"VCID-wj8y-tapy-p3f1","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293","reference_id":"","reference_type":"","scores":[{"value":"0.21994","scoring_system":"epss","scoring_elements":"0.95873","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293"},{"reference_url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187830?format=json","purl":"pkg:composer/craftcms/cms@4.12.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.2"},{"url":"http://public2.vulnerablecode.io/api/packages/187831?format=json","purl":"pkg:composer/craftcms/cms@5.4.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3"}],"aliases":["CVE-2024-52293","GHSA-f3cw-hg6r-chfv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wj8y-tapy-p3f1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/271840?format=json","vulnerability_id":"VCID-wx6u-ss6p-3ue3","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"0.93926","scoring_system":"epss","scoring_elements":"0.99886","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145"},{"reference_url":"https://github.com/Chocapikk/CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Chocapikk/CVE-2024-56145"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145"},{"reference_url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/187515?format=json","purl":"pkg:composer/craftcms/cms@4.13.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2"},{"url":"http://public2.vulnerablecode.io/api/packages/187514?format=json","purl":"pkg:composer/craftcms/cms@5.5.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2"}],"aliases":["CVE-2024-56145","GHSA-2p6p-9rc9-62j9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wx6u-ss6p-3ue3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/332440?format=json","vulnerability_id":"VCID-xpq3-v9ts-x7es","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13023","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129"},{"reference_url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/188589?format=json","purl":"pkg:composer/craftcms/cms@4.17.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.9"},{"url":"http://public2.vulnerablecode.io/api/packages/188588?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41129","GHSA-3m9m-24vh-39wx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpq3-v9ts-x7es"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/327889?format=json","vulnerability_id":"VCID-xysn-pqxv-hyds","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12346","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262"},{"reference_url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/189980?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rrce-ncgp-qbcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/189981?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rrce-ncgp-qbcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32262","GHSA-472v-j2g4-g9h2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xysn-pqxv-hyds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201945?format=json","vulnerability_id":"VCID-yn3x-km7n-d3hd","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37248","reference_id":"","reference_type":"","scores":[{"value":"0.00323","scoring_system":"epss","scoring_elements":"0.55633","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-37248"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.7.55.1/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/3.7.55.1/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/4.0.0-RC1/src/helpers/Cp.php"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#421---2022-08-09"},{"reference_url":"https://github.com/craftcms/cms/commit/cedeba0609e4b173cd584dae7f33c5f713f19627","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/cedeba0609e4b173cd584dae7f33c5f713f19627"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37248","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://labs.integrity.pt/advisories/cve-2022-37248"},{"reference_url":"https://labs.integrity.pt/advisories/cve-2022-37248/","reference_id":"CVE-2022-37248","reference_type":"","scores":[],"url":"https://labs.integrity.pt/advisories/cve-2022-37248/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37248","reference_id":"CVE-2022-37248","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37248"},{"reference_url":"https://github.com/advisories/GHSA-wxvf-839f-jqmh","reference_id":"GHSA-wxvf-839f-jqmh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wxvf-839f-jqmh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79211?format=json","purl":"pkg:composer/craftcms/cms@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.2.1"}],"aliases":["CVE-2022-37248","GHSA-wxvf-839f-jqmh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yn3x-km7n-d3hd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19193?format=json","vulnerability_id":"VCID-z48z-h23a-5qag","summary":"Improper Privilege Management\nCraft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21622","reference_id":"","reference_type":"","scores":[{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27786","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-21622"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"},{"reference_url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"},{"reference_url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"},{"reference_url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"},{"reference_url":"https://github.com/craftcms/cms/pull/13931","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/pull/13931"},{"reference_url":"https://github.com/craftcms/cms/pull/13932","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/pull/13932"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622","reference_id":"CVE-2024-21622","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622"},{"reference_url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67214?format=json","purl":"pkg:composer/craftcms/cms@4.5.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11"}],"aliases":["CVE-2024-21622","GHSA-j5g9-j7r4-6qvx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z48z-h23a-5qag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/327891?format=json","vulnerability_id":"VCID-zebb-ngev-a7de","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15298","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"},{"reference_url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264"},{"reference_url":"https://github.com/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/189980?format=json","purl":"pkg:composer/craftcms/cms@4.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rrce-ncgp-qbcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.5"},{"url":"http://public2.vulnerablecode.io/api/packages/189981?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rrce-ncgp-qbcg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32264","GHSA-4484-8v2f-5748"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zebb-ngev-a7de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23011?format=json","vulnerability_id":"VCID-zh94-u2by-xkg5","summary":"Craft CMS has IDOR via GraphQL @parseRefs\nThe GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.0719","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696","reference_id":"CVE-2026-28696","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696"},{"reference_url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72747?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/72746?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-p4uy-hbad-k3c2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28696","GHSA-7x43-mpfg-r9wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zh94-u2by-xkg5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/23085?format=json","vulnerability_id":"VCID-zybg-fqev-eber","summary":"Craft CMS has unauthenticated activation email trigger with potential user enumeration\nThe `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.1781","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069","reference_id":"CVE-2026-29069","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069"},{"reference_url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73230?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.2"},{"url":"http://public2.vulnerablecode.io/api/packages/73229?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2"}],"aliases":["CVE-2026-29069","GHSA-234q-vvw3-mrfq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zybg-fqev-eber"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1"}