{"url":"http://public2.vulnerablecode.io/api/packages/65261?format=json","purl":"pkg:composer/craftcms/cms@4.0.0-RC1","type":"composer","namespace":"craftcms","name":"cms","version":"4.0.0-RC1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.3.7","latest_non_vulnerable_version":"5.9.9","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49573?format=json","vulnerability_id":"VCID-1468-4fdx-kbfr","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454","reference_id":"CVE-2025-68454","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454"},{"reference_url":"https://github.com/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-742x-x762-7383"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73170?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68454","GHSA-742x-x762-7383"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1468-4fdx-kbfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49572?format=json","vulnerability_id":"VCID-1mb5-28xp-ckd2","summary":"Craft CMS vulnerable to potential information disclosure via unchecked asset relocation\nAuthenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\n Resources:\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436","reference_id":"CVE-2025-68436","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436"},{"reference_url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73170?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68436","GHSA-53vf-c43h-j2x9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1mb5-28xp-ckd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45286?format=json","vulnerability_id":"VCID-2vn9-2cs3-vbg3","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCraft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.","references":[{"reference_url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.4.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196","reference_id":"CVE-2023-33196","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33196"},{"reference_url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cjmm-x9x9-m2w5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5","reference_id":"GHSA-cjmm-x9x9-m2w5","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cjmm-x9x9-m2w5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65262?format=json","purl":"pkg:composer/craftcms/cms@4.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.7"}],"aliases":["CVE-2023-33196","GHSA-cjmm-x9x9-m2w5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2vn9-2cs3-vbg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49581?format=json","vulnerability_id":"VCID-7y4f-ef7t-47eb","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"},{"reference_url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"},{"reference_url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455","reference_id":"CVE-2025-68455","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455"},{"reference_url":"https://github.com/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73170?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68455","GHSA-255j-qw47-wjh5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7y4f-ef7t-47eb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50542?format=json","vulnerability_id":"VCID-8u2j-17a4-q7eh","summary":"Craft CMS Vulnerable to Authenticated RCE via \"craft.app.fs.write()\" in Twig Templates\nAn authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197"},{"reference_url":"https://github.com/craftcms/cms/pull/18216","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/18216"},{"reference_url":"https://github.com/craftcms/cms/pull/18219","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/18219"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697","reference_id":"CVE-2026-28697","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697"},{"reference_url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28697","GHSA-v47q-jxvr-p68x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8u2j-17a4-q7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50068?format=json","vulnerability_id":"VCID-9enr-b6zd-mbh8","summary":"Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498","reference_id":"CVE-2026-25498","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498"},{"reference_url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73947?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25498","GHSA-7jx7-3846-m7w7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9enr-b6zd-mbh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50678?format=json","vulnerability_id":"VCID-akrv-yqnf-1kg8","summary":"Craft CMS has unauthenticated activation email trigger with potential user enumeration\nThe `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069","reference_id":"CVE-2026-29069","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069"},{"reference_url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74443?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.2"},{"url":"http://public2.vulnerablecode.io/api/packages/74442?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2"}],"aliases":["CVE-2026-29069","GHSA-234q-vvw3-mrfq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-akrv-yqnf-1kg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50613?format=json","vulnerability_id":"VCID-azr5-12f8-hfbm","summary":"Craft CMS has potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/pull/18208","references":[{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784","reference_id":"CVE-2026-28784","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784"},{"reference_url":"https://github.com/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qc86-q28f-ggww"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28784","GHSA-qc86-q28f-ggww"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-azr5-12f8-hfbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50072?format=json","vulnerability_id":"VCID-cys8-jnmu-77ec","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation\nThe `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494","reference_id":"CVE-2026-25494","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494"},{"reference_url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73947?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25494","GHSA-m5r2-8p9x-hp5m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cys8-jnmu-77ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45893?format=json","vulnerability_id":"VCID-ec34-nvn3-qbcb","summary":"Craft CMS vulnerable to Remote Code Execution via validatePath bypass\nBypassing the validatePath function can lead to potential Remote Code Execution\n(Post-authentication, ALLOW_ADMIN_CHANGES=true)","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/3.8.15","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/3.8.15"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.4.15","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.4.15"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035","reference_id":"CVE-2023-40035","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40035"},{"reference_url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-44wr-rmwq-3phw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw","reference_id":"GHSA-44wr-rmwq-3phw","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66616?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-40035","GHSA-44wr-rmwq-3phw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ec34-nvn3-qbcb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46011?format=json","vulnerability_id":"VCID-f7gc-cgka-tycr","summary":"Improper Control of Generation of Code ('Code Injection')\nCraft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.","references":[{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857"},{"reference_url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1"},{"reference_url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892","reference_id":"CVE-2023-41892","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41892"},{"reference_url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66616?format=json","purl":"pkg:composer/craftcms/cms@4.4.15","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.4.15"}],"aliases":["CVE-2023-41892","GHSA-4w8r-3xrw-v25g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f7gc-cgka-tycr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50790?format=json","vulnerability_id":"VCID-hyct-5gap-7kdu","summary":"Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`.  The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113","reference_id":"CVE-2026-29113","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113"},{"reference_url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74586?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/74587?format=json","purl":"pkg:composer/craftcms/cms@5.9.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7"}],"aliases":["CVE-2026-29113","GHSA-vg3j-hpm9-8v5v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyct-5gap-7kdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50071?format=json","vulnerability_id":"VCID-jeyh-3jxd-z3g6","summary":"Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`\nThe `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.\nAn attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).\n\n> [!NOTE]\n> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495","reference_id":"CVE-2026-25495","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495"},{"reference_url":"https://github.com/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73947?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25495","GHSA-2453-mppf-46cj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jeyh-3jxd-z3g6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46777?format=json","vulnerability_id":"VCID-jhen-vhqx-n7dr","summary":"Improper Privilege Management\nCraft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.","references":[{"reference_url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16"},{"reference_url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16"},{"reference_url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa"},{"reference_url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843"},{"reference_url":"https://github.com/craftcms/cms/pull/13931","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/13931"},{"reference_url":"https://github.com/craftcms/cms/pull/13932","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/13932"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622","reference_id":"CVE-2024-21622","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21622"},{"reference_url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j5g9-j7r4-6qvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx","reference_id":"GHSA-j5g9-j7r4-6qvx","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68406?format=json","purl":"pkg:composer/craftcms/cms@4.5.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11"}],"aliases":["CVE-2024-21622","GHSA-j5g9-j7r4-6qvx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50633?format=json","vulnerability_id":"VCID-jxz8-g6fq-dubw","summary":"Craft CMS: Entries Authorship Spoofing via Mass Assignment\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"},{"reference_url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781","reference_id":"CVE-2026-28781","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781"},{"reference_url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28781","GHSA-2xfc-g69j-x2mp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz8-g6fq-dubw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50075?format=json","vulnerability_id":"VCID-kbrc-85av-nfcn","summary":"Craft CMS: GraphQL Asset Mutation Privilege Escalation\nType: Privilege Escalation (CWE-269)\nAffected: Craft CMS 5.x (likely affects 4.x and 3.x as well)\nLocation: `src/gql/resolvers/mutations/Asset.php lines 57-107`","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497","reference_id":"CVE-2026-25497","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497"},{"reference_url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-25497","GHSA-fxp3-g6gw-4r4v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbrc-85av-nfcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50612?format=json","vulnerability_id":"VCID-m5rf-usae-yfb7","summary":"Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options\nStored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2"},{"reference_url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276"},{"reference_url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["GHSA-4mgv-366x-qxvx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5rf-usae-yfb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50080?format=json","vulnerability_id":"VCID-ppet-ruae-1kav","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect\nThe `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493","reference_id":"CVE-2026-25493","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493"},{"reference_url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73947?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25493","GHSA-8jr8-7hr4-vhfx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ppet-ruae-1kav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50587?format=json","vulnerability_id":"VCID-qwmy-d2e8-5khw","summary":"Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget\nThere is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.\n\nThis bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695","reference_id":"CVE-2026-28695","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28695"},{"reference_url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-94rc-cqvm-m4pw"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw","reference_id":"GHSA-94rc-cqvm-m4pw","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28695","GHSA-94rc-cqvm-m4pw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qwmy-d2e8-5khw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50604?format=json","vulnerability_id":"VCID-qywv-vf4r-8bh9","summary":"Craft CMS has IDOR via GraphQL @parseRefs\nThe GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696","reference_id":"CVE-2026-28696","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696"},{"reference_url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28696","GHSA-7x43-mpfg-r9wj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qywv-vf4r-8bh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50073?format=json","vulnerability_id":"VCID-twuy-wzb7-k7g3","summary":"Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496","reference_id":"CVE-2026-25496","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496"},{"reference_url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73947?format=json","purl":"pkg:composer/craftcms/cms@4.16.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18"},{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25496","GHSA-9f5h-mmq6-2x78"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-twuy-wzb7-k7g3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50545?format=json","vulnerability_id":"VCID-vasz-rnn1-67ev","summary":"Craft CMS has Twig Function Blocklist Bypass\nCraft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.\n\nIn order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.\n\nSeveral PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.\n\nTwig has already deprecated this behavior, and it will eventually be removed from Twig altogether.\n\nhttps://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096\n\nThis has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.\n\nExisting projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783","reference_id":"CVE-2026-28783","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783"},{"reference_url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28783","GHSA-5fvc-7894-ghp4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vasz-rnn1-67ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50642?format=json","vulnerability_id":"VCID-w9yn-1573-hyau","summary":"Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782","reference_id":"CVE-2026-28782","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782"},{"reference_url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73953?format=json","purl":"pkg:composer/craftcms/cms@4.17.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28782","GHSA-jxm3-pmm2-9gf6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w9yn-1573-hyau"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1"}