Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/cms@3.9.3
Typecomposer
Namespacecraftcms
Namecms
Version3.9.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.17.12
Latest_non_vulnerable_version5.9.18
Affected_by_vulnerabilities
0
url VCID-5mnd-qvaq-k3am
vulnerability_id VCID-5mnd-qvaq-k3am
summary 
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68456
reference_id
reference_type
scores
0
value 0.00214
scoring_system epss
scoring_elements 0.4399
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68456
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
3
reference_url https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
reference_id
reference_type
scores
0
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/
url https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68456
reference_id CVE-2025-68456
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68456
5
reference_url https://github.com/advisories/GHSA-v64r-7wg9-23pr
reference_id GHSA-v64r-7wg9-23pr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v64r-7wg9-23pr
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
reference_id GHSA-v64r-7wg9-23pr
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
fixed_packages
0
url pkg:composer/craftcms/cms@4.16.17
purl pkg:composer/craftcms/cms@4.16.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-39ct-cg7w-kyb6
1
vulnerability VCID-41uv-1axm-fugb
2
vulnerability VCID-4wkr-jx1w-77hn
3
vulnerability VCID-5q5g-jrxm-eyhe
4
vulnerability VCID-83rt-3tyj-qbgx
5
vulnerability VCID-8u2j-17a4-q7eh
6
vulnerability VCID-9ca4-tbhq-27ad
7
vulnerability VCID-9enr-b6zd-mbh8
8
vulnerability VCID-a3b5-pwyh-yugv
9
vulnerability VCID-akrv-yqnf-1kg8
10
vulnerability VCID-azr5-12f8-hfbm
11
vulnerability VCID-cys8-jnmu-77ec
12
vulnerability VCID-e94m-mj1k-8kbr
13
vulnerability VCID-eaxm-rjr7-xudb
14
vulnerability VCID-efwv-r3nc-73h9
15
vulnerability VCID-fpea-e48p-kfbn
16
vulnerability VCID-fpke-p7sz-nfc9
17
vulnerability VCID-gzry-xtu5-ukhu
18
vulnerability VCID-hkp9-3hzv-quhk
19
vulnerability VCID-hyct-5gap-7kdu
20
vulnerability VCID-jeyh-3jxd-z3g6
21
vulnerability VCID-jxz8-g6fq-dubw
22
vulnerability VCID-kbrc-85av-nfcn
23
vulnerability VCID-m5rf-usae-yfb7
24
vulnerability VCID-nmzu-mefv-tqeh
25
vulnerability VCID-p3n8-1sht-bfbt
26
vulnerability VCID-ppet-ruae-1kav
27
vulnerability VCID-qwmy-d2e8-5khw
28
vulnerability VCID-qywv-vf4r-8bh9
29
vulnerability VCID-rzq4-h1ms-nqef
30
vulnerability VCID-sa99-8awj-eycd
31
vulnerability VCID-twuy-wzb7-k7g3
32
vulnerability VCID-tzjk-x116-ayge
33
vulnerability VCID-vasz-rnn1-67ev
34
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17
1
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-39ct-cg7w-kyb6
1
vulnerability VCID-41uv-1axm-fugb
2
vulnerability VCID-4wkr-jx1w-77hn
3
vulnerability VCID-5q5g-jrxm-eyhe
4
vulnerability VCID-5tzm-738x-xka9
5
vulnerability VCID-83rt-3tyj-qbgx
6
vulnerability VCID-8u2j-17a4-q7eh
7
vulnerability VCID-9ca4-tbhq-27ad
8
vulnerability VCID-9enr-b6zd-mbh8
9
vulnerability VCID-a3b5-pwyh-yugv
10
vulnerability VCID-a8p2-5cmc-n7g2
11
vulnerability VCID-akrv-yqnf-1kg8
12
vulnerability VCID-asek-4gme-gug8
13
vulnerability VCID-azr5-12f8-hfbm
14
vulnerability VCID-bqep-3c6u-mqhu
15
vulnerability VCID-cys8-jnmu-77ec
16
vulnerability VCID-e94m-mj1k-8kbr
17
vulnerability VCID-eaxm-rjr7-xudb
18
vulnerability VCID-efwv-r3nc-73h9
19
vulnerability VCID-esma-wxje-eqh3
20
vulnerability VCID-fpea-e48p-kfbn
21
vulnerability VCID-fpke-p7sz-nfc9
22
vulnerability VCID-gzry-xtu5-ukhu
23
vulnerability VCID-hkp9-3hzv-quhk
24
vulnerability VCID-hyct-5gap-7kdu
25
vulnerability VCID-jeyh-3jxd-z3g6
26
vulnerability VCID-jnrx-e9b5-wqew
27
vulnerability VCID-jxz8-g6fq-dubw
28
vulnerability VCID-kbrc-85av-nfcn
29
vulnerability VCID-m5rf-usae-yfb7
30
vulnerability VCID-nmzu-mefv-tqeh
31
vulnerability VCID-p3n8-1sht-bfbt
32
vulnerability VCID-pgm4-svq8-tfc5
33
vulnerability VCID-ppet-ruae-1kav
34
vulnerability VCID-qwmy-d2e8-5khw
35
vulnerability VCID-qywv-vf4r-8bh9
36
vulnerability VCID-rzq4-h1ms-nqef
37
vulnerability VCID-sa99-8awj-eycd
38
vulnerability VCID-twuy-wzb7-k7g3
39
vulnerability VCID-tzjk-x116-ayge
40
vulnerability VCID-vasz-rnn1-67ev
41
vulnerability VCID-vvhc-rnpr-ubey
42
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68456, GHSA-v64r-7wg9-23pr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am
1
url VCID-c2nk-y4rx-1qf4
vulnerability_id VCID-c2nk-y4rx-1qf4
summary 
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
You are affected if your php.ini configuration has `register_argc_argv` enabled.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-56145
reference_id
reference_type
scores
0
value 0.93926
scoring_system epss
scoring_elements 0.99888
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-56145
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/
url https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
3
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
4
reference_url https://github.com/Chocapikk/CVE-2024-56145
reference_id CVE-2024-56145
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Chocapikk/CVE-2024-56145
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-56145
reference_id CVE-2024-56145
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-56145
6
reference_url https://github.com/advisories/GHSA-2p6p-9rc9-62j9
reference_id GHSA-2p6p-9rc9-62j9
reference_type
scores
url https://github.com/advisories/GHSA-2p6p-9rc9-62j9
7
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
reference_id GHSA-2p6p-9rc9-62j9
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
fixed_packages
0
url pkg:composer/craftcms/cms@3.9.14
purl pkg:composer/craftcms/cms@3.9.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5mnd-qvaq-k3am
1
vulnerability VCID-fpea-e48p-kfbn
2
vulnerability VCID-hkp9-3hzv-quhk
3
vulnerability VCID-jxet-d8ux-mkge
4
vulnerability VCID-qq68-3j4y-47am
5
vulnerability VCID-rb7c-3nkc-gkeg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.14
1
url pkg:composer/craftcms/cms@4.13.2
purl pkg:composer/craftcms/cms@4.13.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-azr5-12f8-hfbm
15
vulnerability VCID-cys8-jnmu-77ec
16
vulnerability VCID-e94m-mj1k-8kbr
17
vulnerability VCID-eaxm-rjr7-xudb
18
vulnerability VCID-efwv-r3nc-73h9
19
vulnerability VCID-fpea-e48p-kfbn
20
vulnerability VCID-fpke-p7sz-nfc9
21
vulnerability VCID-gzry-xtu5-ukhu
22
vulnerability VCID-h6t5-pdp5-8qhe
23
vulnerability VCID-hkp9-3hzv-quhk
24
vulnerability VCID-hyct-5gap-7kdu
25
vulnerability VCID-jeyh-3jxd-z3g6
26
vulnerability VCID-jsfs-azcs-mfcm
27
vulnerability VCID-jxet-d8ux-mkge
28
vulnerability VCID-jxz8-g6fq-dubw
29
vulnerability VCID-kbrc-85av-nfcn
30
vulnerability VCID-m5rf-usae-yfb7
31
vulnerability VCID-nmzu-mefv-tqeh
32
vulnerability VCID-ppet-ruae-1kav
33
vulnerability VCID-qq68-3j4y-47am
34
vulnerability VCID-qwmy-d2e8-5khw
35
vulnerability VCID-qywv-vf4r-8bh9
36
vulnerability VCID-r5hp-5nju-9ubz
37
vulnerability VCID-rb7c-3nkc-gkeg
38
vulnerability VCID-rzq4-h1ms-nqef
39
vulnerability VCID-sa99-8awj-eycd
40
vulnerability VCID-twuy-wzb7-k7g3
41
vulnerability VCID-tzjk-x116-ayge
42
vulnerability VCID-vasz-rnn1-67ev
43
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2
2
url pkg:composer/craftcms/cms@5.5.2
purl pkg:composer/craftcms/cms@5.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-asek-4gme-gug8
15
vulnerability VCID-azr5-12f8-hfbm
16
vulnerability VCID-cys8-jnmu-77ec
17
vulnerability VCID-e94m-mj1k-8kbr
18
vulnerability VCID-eaxm-rjr7-xudb
19
vulnerability VCID-efwv-r3nc-73h9
20
vulnerability VCID-esma-wxje-eqh3
21
vulnerability VCID-fpea-e48p-kfbn
22
vulnerability VCID-fpke-p7sz-nfc9
23
vulnerability VCID-gzry-xtu5-ukhu
24
vulnerability VCID-h6t5-pdp5-8qhe
25
vulnerability VCID-hkp9-3hzv-quhk
26
vulnerability VCID-hyct-5gap-7kdu
27
vulnerability VCID-jeyh-3jxd-z3g6
28
vulnerability VCID-jnrx-e9b5-wqew
29
vulnerability VCID-jsfs-azcs-mfcm
30
vulnerability VCID-jxet-d8ux-mkge
31
vulnerability VCID-jxz8-g6fq-dubw
32
vulnerability VCID-kbrc-85av-nfcn
33
vulnerability VCID-m5rf-usae-yfb7
34
vulnerability VCID-nmzu-mefv-tqeh
35
vulnerability VCID-pgm4-svq8-tfc5
36
vulnerability VCID-ppet-ruae-1kav
37
vulnerability VCID-qq68-3j4y-47am
38
vulnerability VCID-qywv-vf4r-8bh9
39
vulnerability VCID-r5hp-5nju-9ubz
40
vulnerability VCID-rb7c-3nkc-gkeg
41
vulnerability VCID-rzq4-h1ms-nqef
42
vulnerability VCID-sa99-8awj-eycd
43
vulnerability VCID-twuy-wzb7-k7g3
44
vulnerability VCID-tzjk-x116-ayge
45
vulnerability VCID-vasz-rnn1-67ev
46
vulnerability VCID-vvhc-rnpr-ubey
47
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2
aliases CVE-2024-56145, GHSA-2p6p-9rc9-62j9
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4
2
url VCID-chep-xthg-zuee
vulnerability_id VCID-chep-xthg-zuee
summary 
Craft CMS Arbitrary System File Read
By abusing the mail notification template it is possible to read arbitrary operating system files.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52292
reference_id
reference_type
scores
0
value 0.00428
scoring_system epss
scoring_elements 0.62805
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52292
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52292
reference_id CVE-2024-52292
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52292
3
reference_url https://github.com/advisories/GHSA-cw6g-qmjq-6w2w
reference_id GHSA-cw6g-qmjq-6w2w
reference_type
scores
url https://github.com/advisories/GHSA-cw6g-qmjq-6w2w
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w
reference_id GHSA-cw6g-qmjq-6w2w
reference_type
scores
0
value 7.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w
fixed_packages
0
url pkg:composer/craftcms/cms@4.12.8
purl pkg:composer/craftcms/cms@4.12.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-azr5-12f8-hfbm
15
vulnerability VCID-c2nk-y4rx-1qf4
16
vulnerability VCID-cys8-jnmu-77ec
17
vulnerability VCID-e94m-mj1k-8kbr
18
vulnerability VCID-eaxm-rjr7-xudb
19
vulnerability VCID-efwv-r3nc-73h9
20
vulnerability VCID-fpea-e48p-kfbn
21
vulnerability VCID-fpke-p7sz-nfc9
22
vulnerability VCID-gzry-xtu5-ukhu
23
vulnerability VCID-h6t5-pdp5-8qhe
24
vulnerability VCID-hkp9-3hzv-quhk
25
vulnerability VCID-hyct-5gap-7kdu
26
vulnerability VCID-jeyh-3jxd-z3g6
27
vulnerability VCID-jsfs-azcs-mfcm
28
vulnerability VCID-jxet-d8ux-mkge
29
vulnerability VCID-jxz8-g6fq-dubw
30
vulnerability VCID-kbrc-85av-nfcn
31
vulnerability VCID-m5rf-usae-yfb7
32
vulnerability VCID-nmzu-mefv-tqeh
33
vulnerability VCID-ppet-ruae-1kav
34
vulnerability VCID-qq68-3j4y-47am
35
vulnerability VCID-qwmy-d2e8-5khw
36
vulnerability VCID-qywv-vf4r-8bh9
37
vulnerability VCID-r5hp-5nju-9ubz
38
vulnerability VCID-rb7c-3nkc-gkeg
39
vulnerability VCID-rzq4-h1ms-nqef
40
vulnerability VCID-sa99-8awj-eycd
41
vulnerability VCID-twuy-wzb7-k7g3
42
vulnerability VCID-tzjk-x116-ayge
43
vulnerability VCID-vasz-rnn1-67ev
44
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.12.8
1
url pkg:composer/craftcms/cms@5.4.9
purl pkg:composer/craftcms/cms@5.4.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-asek-4gme-gug8
15
vulnerability VCID-azr5-12f8-hfbm
16
vulnerability VCID-c2nk-y4rx-1qf4
17
vulnerability VCID-cys8-jnmu-77ec
18
vulnerability VCID-e94m-mj1k-8kbr
19
vulnerability VCID-eaxm-rjr7-xudb
20
vulnerability VCID-efwv-r3nc-73h9
21
vulnerability VCID-esma-wxje-eqh3
22
vulnerability VCID-fpea-e48p-kfbn
23
vulnerability VCID-fpke-p7sz-nfc9
24
vulnerability VCID-gzry-xtu5-ukhu
25
vulnerability VCID-h6t5-pdp5-8qhe
26
vulnerability VCID-hkp9-3hzv-quhk
27
vulnerability VCID-hyct-5gap-7kdu
28
vulnerability VCID-jeyh-3jxd-z3g6
29
vulnerability VCID-jnrx-e9b5-wqew
30
vulnerability VCID-jsfs-azcs-mfcm
31
vulnerability VCID-jxet-d8ux-mkge
32
vulnerability VCID-jxz8-g6fq-dubw
33
vulnerability VCID-kbrc-85av-nfcn
34
vulnerability VCID-m5rf-usae-yfb7
35
vulnerability VCID-nmzu-mefv-tqeh
36
vulnerability VCID-pgm4-svq8-tfc5
37
vulnerability VCID-ppet-ruae-1kav
38
vulnerability VCID-qq68-3j4y-47am
39
vulnerability VCID-qywv-vf4r-8bh9
40
vulnerability VCID-r5hp-5nju-9ubz
41
vulnerability VCID-rb7c-3nkc-gkeg
42
vulnerability VCID-rzq4-h1ms-nqef
43
vulnerability VCID-sa99-8awj-eycd
44
vulnerability VCID-twuy-wzb7-k7g3
45
vulnerability VCID-tzjk-x116-ayge
46
vulnerability VCID-vasz-rnn1-67ev
47
vulnerability VCID-vvhc-rnpr-ubey
48
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9
aliases CVE-2024-52292, GHSA-cw6g-qmjq-6w2w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-chep-xthg-zuee
3
url VCID-dz26-b2ts-puep
vulnerability_id VCID-dz26-b2ts-puep
summary 
Craft CMS Feed-Me
An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-36260
reference_id
reference_type
scores
0
value 0.00366
scoring_system epss
scoring_elements 0.58935
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-36260
1
reference_url https://github.com/craftcms/feed-me
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/feed-me
2
reference_url https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/
url https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28
3
reference_url https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/
url https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28%29
4
reference_url https://github.com/craftcms/feed-me/releases/tag/4.6.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/feed-me/releases/tag/4.6.2
5
reference_url https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-30T16:40:39Z/
url https://www.linkedin.com/pulse/threat-briefing-craftcms-amrcybersecurity-emi0e/?trackingId=E75GttWvQp6gfvPiJDDUBA%3D%3D
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-36260
reference_id CVE-2023-36260
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-36260
7
reference_url https://github.com/advisories/GHSA-6p78-f7h9-6838
reference_id GHSA-6p78-f7h9-6838
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6p78-f7h9-6838
fixed_packages
0
url pkg:composer/craftcms/cms@4.6.2
purl pkg:composer/craftcms/cms@4.6.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.6.2
1
url pkg:composer/craftcms/cms@4.7.0
purl pkg:composer/craftcms/cms@4.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5cxe-tjpb-3qan
6
vulnerability VCID-5mnd-qvaq-k3am
7
vulnerability VCID-5q5g-jrxm-eyhe
8
vulnerability VCID-71sv-62m4-z3er
9
vulnerability VCID-7y4f-ef7t-47eb
10
vulnerability VCID-83rt-3tyj-qbgx
11
vulnerability VCID-8u2j-17a4-q7eh
12
vulnerability VCID-9ca4-tbhq-27ad
13
vulnerability VCID-9enr-b6zd-mbh8
14
vulnerability VCID-a3b5-pwyh-yugv
15
vulnerability VCID-akrv-yqnf-1kg8
16
vulnerability VCID-azr5-12f8-hfbm
17
vulnerability VCID-c2nk-y4rx-1qf4
18
vulnerability VCID-chep-xthg-zuee
19
vulnerability VCID-cys8-jnmu-77ec
20
vulnerability VCID-e94m-mj1k-8kbr
21
vulnerability VCID-eaxm-rjr7-xudb
22
vulnerability VCID-efwv-r3nc-73h9
23
vulnerability VCID-fpea-e48p-kfbn
24
vulnerability VCID-fpke-p7sz-nfc9
25
vulnerability VCID-gzry-xtu5-ukhu
26
vulnerability VCID-h6t5-pdp5-8qhe
27
vulnerability VCID-hkp9-3hzv-quhk
28
vulnerability VCID-hyct-5gap-7kdu
29
vulnerability VCID-jeyh-3jxd-z3g6
30
vulnerability VCID-jsfs-azcs-mfcm
31
vulnerability VCID-jxet-d8ux-mkge
32
vulnerability VCID-jxz8-g6fq-dubw
33
vulnerability VCID-kbrc-85av-nfcn
34
vulnerability VCID-m5rf-usae-yfb7
35
vulnerability VCID-nmzu-mefv-tqeh
36
vulnerability VCID-ppet-ruae-1kav
37
vulnerability VCID-qq68-3j4y-47am
38
vulnerability VCID-qwmy-d2e8-5khw
39
vulnerability VCID-qywv-vf4r-8bh9
40
vulnerability VCID-r5hp-5nju-9ubz
41
vulnerability VCID-rb7c-3nkc-gkeg
42
vulnerability VCID-rzq4-h1ms-nqef
43
vulnerability VCID-sa99-8awj-eycd
44
vulnerability VCID-twuy-wzb7-k7g3
45
vulnerability VCID-tzjk-x116-ayge
46
vulnerability VCID-vasz-rnn1-67ev
47
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.7.0
aliases CVE-2023-36260, GHSA-6p78-f7h9-6838
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dz26-b2ts-puep
4
url VCID-fpea-e48p-kfbn
vulnerability_id VCID-fpea-e48p-kfbn
summary 
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.

This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27127
reference_id
reference_type
scores
0
value 8e-05
scoring_system epss
scoring_elements 0.00719
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27127
1
reference_url https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
2
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
3
reference_url https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
reference_id
reference_type
scores
0
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/
url https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
4
reference_url https://github.com/mogwailabs/DNSrebinder
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mogwailabs/DNSrebinder
5
reference_url https://github.com/nccgroup/singularity
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nccgroup/singularity
6
reference_url https://github.com/taviso/rbndr
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/taviso/rbndr
7
reference_url https://unit42.paloaltonetworks.com/dns-rebinding
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://unit42.paloaltonetworks.com/dns-rebinding
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27127
reference_id CVE-2026-27127
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27127
9
reference_url https://github.com/advisories/GHSA-gp2f-7wcm-5fhx
reference_id GHSA-gp2f-7wcm-5fhx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gp2f-7wcm-5fhx
10
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
reference_id GHSA-gp2f-7wcm-5fhx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
11
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@4.16.19
purl pkg:composer/craftcms/cms@4.16.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-41uv-1axm-fugb
1
vulnerability VCID-4wkr-jx1w-77hn
2
vulnerability VCID-83rt-3tyj-qbgx
3
vulnerability VCID-8u2j-17a4-q7eh
4
vulnerability VCID-9ca4-tbhq-27ad
5
vulnerability VCID-akrv-yqnf-1kg8
6
vulnerability VCID-azr5-12f8-hfbm
7
vulnerability VCID-e94m-mj1k-8kbr
8
vulnerability VCID-eaxm-rjr7-xudb
9
vulnerability VCID-efwv-r3nc-73h9
10
vulnerability VCID-fpke-p7sz-nfc9
11
vulnerability VCID-gzry-xtu5-ukhu
12
vulnerability VCID-hyct-5gap-7kdu
13
vulnerability VCID-jxz8-g6fq-dubw
14
vulnerability VCID-kbrc-85av-nfcn
15
vulnerability VCID-m5rf-usae-yfb7
16
vulnerability VCID-nmzu-mefv-tqeh
17
vulnerability VCID-p3n8-1sht-bfbt
18
vulnerability VCID-qwmy-d2e8-5khw
19
vulnerability VCID-qywv-vf4r-8bh9
20
vulnerability VCID-rzq4-h1ms-nqef
21
vulnerability VCID-sa99-8awj-eycd
22
vulnerability VCID-tzjk-x116-ayge
23
vulnerability VCID-vasz-rnn1-67ev
24
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19
1
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-41uv-1axm-fugb
1
vulnerability VCID-4wkr-jx1w-77hn
2
vulnerability VCID-5tzm-738x-xka9
3
vulnerability VCID-83rt-3tyj-qbgx
4
vulnerability VCID-8u2j-17a4-q7eh
5
vulnerability VCID-9ca4-tbhq-27ad
6
vulnerability VCID-a8p2-5cmc-n7g2
7
vulnerability VCID-akrv-yqnf-1kg8
8
vulnerability VCID-asek-4gme-gug8
9
vulnerability VCID-azr5-12f8-hfbm
10
vulnerability VCID-bqep-3c6u-mqhu
11
vulnerability VCID-e94m-mj1k-8kbr
12
vulnerability VCID-eaxm-rjr7-xudb
13
vulnerability VCID-efwv-r3nc-73h9
14
vulnerability VCID-fpke-p7sz-nfc9
15
vulnerability VCID-gzry-xtu5-ukhu
16
vulnerability VCID-hyct-5gap-7kdu
17
vulnerability VCID-jnrx-e9b5-wqew
18
vulnerability VCID-jxz8-g6fq-dubw
19
vulnerability VCID-kbrc-85av-nfcn
20
vulnerability VCID-m5rf-usae-yfb7
21
vulnerability VCID-nmzu-mefv-tqeh
22
vulnerability VCID-p3n8-1sht-bfbt
23
vulnerability VCID-pgm4-svq8-tfc5
24
vulnerability VCID-qwmy-d2e8-5khw
25
vulnerability VCID-qywv-vf4r-8bh9
26
vulnerability VCID-rzq4-h1ms-nqef
27
vulnerability VCID-sa99-8awj-eycd
28
vulnerability VCID-tzjk-x116-ayge
29
vulnerability VCID-vasz-rnn1-67ev
30
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27127, GHSA-gp2f-7wcm-5fhx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fpea-e48p-kfbn
5
url VCID-hkp9-3hzv-quhk
vulnerability_id VCID-hkp9-3hzv-quhk
summary 
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.

This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27129
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01541
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27129
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/
url https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27129
reference_id CVE-2026-27129
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27129
4
reference_url https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
reference_id GHSA-v2gc-rm6g-wrw9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
reference_id GHSA-v2gc-rm6g-wrw9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@4.16.19
purl pkg:composer/craftcms/cms@4.16.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-41uv-1axm-fugb
1
vulnerability VCID-4wkr-jx1w-77hn
2
vulnerability VCID-83rt-3tyj-qbgx
3
vulnerability VCID-8u2j-17a4-q7eh
4
vulnerability VCID-9ca4-tbhq-27ad
5
vulnerability VCID-akrv-yqnf-1kg8
6
vulnerability VCID-azr5-12f8-hfbm
7
vulnerability VCID-e94m-mj1k-8kbr
8
vulnerability VCID-eaxm-rjr7-xudb
9
vulnerability VCID-efwv-r3nc-73h9
10
vulnerability VCID-fpke-p7sz-nfc9
11
vulnerability VCID-gzry-xtu5-ukhu
12
vulnerability VCID-hyct-5gap-7kdu
13
vulnerability VCID-jxz8-g6fq-dubw
14
vulnerability VCID-kbrc-85av-nfcn
15
vulnerability VCID-m5rf-usae-yfb7
16
vulnerability VCID-nmzu-mefv-tqeh
17
vulnerability VCID-p3n8-1sht-bfbt
18
vulnerability VCID-qwmy-d2e8-5khw
19
vulnerability VCID-qywv-vf4r-8bh9
20
vulnerability VCID-rzq4-h1ms-nqef
21
vulnerability VCID-sa99-8awj-eycd
22
vulnerability VCID-tzjk-x116-ayge
23
vulnerability VCID-vasz-rnn1-67ev
24
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19
1
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-41uv-1axm-fugb
1
vulnerability VCID-4wkr-jx1w-77hn
2
vulnerability VCID-5tzm-738x-xka9
3
vulnerability VCID-83rt-3tyj-qbgx
4
vulnerability VCID-8u2j-17a4-q7eh
5
vulnerability VCID-9ca4-tbhq-27ad
6
vulnerability VCID-a8p2-5cmc-n7g2
7
vulnerability VCID-akrv-yqnf-1kg8
8
vulnerability VCID-asek-4gme-gug8
9
vulnerability VCID-azr5-12f8-hfbm
10
vulnerability VCID-bqep-3c6u-mqhu
11
vulnerability VCID-e94m-mj1k-8kbr
12
vulnerability VCID-eaxm-rjr7-xudb
13
vulnerability VCID-efwv-r3nc-73h9
14
vulnerability VCID-fpke-p7sz-nfc9
15
vulnerability VCID-gzry-xtu5-ukhu
16
vulnerability VCID-hyct-5gap-7kdu
17
vulnerability VCID-jnrx-e9b5-wqew
18
vulnerability VCID-jxz8-g6fq-dubw
19
vulnerability VCID-kbrc-85av-nfcn
20
vulnerability VCID-m5rf-usae-yfb7
21
vulnerability VCID-nmzu-mefv-tqeh
22
vulnerability VCID-p3n8-1sht-bfbt
23
vulnerability VCID-pgm4-svq8-tfc5
24
vulnerability VCID-qwmy-d2e8-5khw
25
vulnerability VCID-qywv-vf4r-8bh9
26
vulnerability VCID-rzq4-h1ms-nqef
27
vulnerability VCID-sa99-8awj-eycd
28
vulnerability VCID-tzjk-x116-ayge
29
vulnerability VCID-vasz-rnn1-67ev
30
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27129, GHSA-v2gc-rm6g-wrw9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hkp9-3hzv-quhk
6
url VCID-jhen-vhqx-n7dr
vulnerability_id VCID-jhen-vhqx-n7dr
summary 
Improper Privilege Management
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-21622
reference_id
reference_type
scores
0
value 0.00103
scoring_system epss
scoring_elements 0.27732
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-21622
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
3
reference_url https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
4
reference_url https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
5
reference_url https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
6
reference_url https://github.com/craftcms/cms/pull/13931
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/pull/13931
7
reference_url https://github.com/craftcms/cms/pull/13932
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/pull/13932
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-21622
reference_id CVE-2024-21622
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-21622
9
reference_url https://github.com/advisories/GHSA-j5g9-j7r4-6qvx
reference_id GHSA-j5g9-j7r4-6qvx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j5g9-j7r4-6qvx
10
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
reference_id GHSA-j5g9-j7r4-6qvx
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-08T17:11:55Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx
fixed_packages
0
url pkg:composer/craftcms/cms@3.9.6
purl pkg:composer/craftcms/cms@3.9.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5mnd-qvaq-k3am
1
vulnerability VCID-c2nk-y4rx-1qf4
2
vulnerability VCID-chep-xthg-zuee
3
vulnerability VCID-dz26-b2ts-puep
4
vulnerability VCID-fpea-e48p-kfbn
5
vulnerability VCID-hkp9-3hzv-quhk
6
vulnerability VCID-jxet-d8ux-mkge
7
vulnerability VCID-qq68-3j4y-47am
8
vulnerability VCID-rb7c-3nkc-gkeg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.6
1
url pkg:composer/craftcms/cms@4.5.11
purl pkg:composer/craftcms/cms@4.5.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5cxe-tjpb-3qan
6
vulnerability VCID-5mnd-qvaq-k3am
7
vulnerability VCID-5q5g-jrxm-eyhe
8
vulnerability VCID-71sv-62m4-z3er
9
vulnerability VCID-7y4f-ef7t-47eb
10
vulnerability VCID-83rt-3tyj-qbgx
11
vulnerability VCID-8u2j-17a4-q7eh
12
vulnerability VCID-9ca4-tbhq-27ad
13
vulnerability VCID-9enr-b6zd-mbh8
14
vulnerability VCID-a3b5-pwyh-yugv
15
vulnerability VCID-akrv-yqnf-1kg8
16
vulnerability VCID-azr5-12f8-hfbm
17
vulnerability VCID-c2nk-y4rx-1qf4
18
vulnerability VCID-chep-xthg-zuee
19
vulnerability VCID-cys8-jnmu-77ec
20
vulnerability VCID-dz26-b2ts-puep
21
vulnerability VCID-e94m-mj1k-8kbr
22
vulnerability VCID-eaxm-rjr7-xudb
23
vulnerability VCID-efwv-r3nc-73h9
24
vulnerability VCID-fpea-e48p-kfbn
25
vulnerability VCID-fpke-p7sz-nfc9
26
vulnerability VCID-gzry-xtu5-ukhu
27
vulnerability VCID-h6t5-pdp5-8qhe
28
vulnerability VCID-hkp9-3hzv-quhk
29
vulnerability VCID-hyct-5gap-7kdu
30
vulnerability VCID-jeyh-3jxd-z3g6
31
vulnerability VCID-jsfs-azcs-mfcm
32
vulnerability VCID-jxet-d8ux-mkge
33
vulnerability VCID-jxz8-g6fq-dubw
34
vulnerability VCID-kbrc-85av-nfcn
35
vulnerability VCID-m5rf-usae-yfb7
36
vulnerability VCID-nmzu-mefv-tqeh
37
vulnerability VCID-ppet-ruae-1kav
38
vulnerability VCID-qq68-3j4y-47am
39
vulnerability VCID-qwmy-d2e8-5khw
40
vulnerability VCID-qywv-vf4r-8bh9
41
vulnerability VCID-r5hp-5nju-9ubz
42
vulnerability VCID-rb7c-3nkc-gkeg
43
vulnerability VCID-rzq4-h1ms-nqef
44
vulnerability VCID-sa99-8awj-eycd
45
vulnerability VCID-twuy-wzb7-k7g3
46
vulnerability VCID-tzjk-x116-ayge
47
vulnerability VCID-vasz-rnn1-67ev
48
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.5.11
aliases CVE-2024-21622, GHSA-j5g9-j7r4-6qvx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jhen-vhqx-n7dr
7
url VCID-jxet-d8ux-mkge
vulnerability_id VCID-jxet-d8ux-mkge
summary Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-35939
reference_id
reference_type
scores
0
value 0.33065
scoring_system epss
scoring_elements 0.96993
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-35939
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2
3
reference_url https://github.com/craftcms/cms/pull/17220
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/
6
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/
url https://github.com/craftcms/cms/pull/17220
4
reference_url https://github.com/craftcms/cms/releases/tag/4.15.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/
6
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/
url https://github.com/craftcms/cms/releases/tag/4.15.3
5
reference_url https://github.com/craftcms/cms/releases/tag/5.7.5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/
6
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/
url https://github.com/craftcms/cms/releases/tag/5.7.5
6
reference_url https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/
6
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/
url https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939
8
reference_url https://www.cve.org/CVERecord?id=CVE-2025-35939
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/
6
value Attend
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/
url https://www.cve.org/CVERecord?id=CVE-2025-35939
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-35939
reference_id CVE-2025-35939
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-35939
10
reference_url https://github.com/advisories/GHSA-7vrx-9684-xrf2
reference_id GHSA-7vrx-9684-xrf2
reference_type
scores
url https://github.com/advisories/GHSA-7vrx-9684-xrf2
fixed_packages
0
url pkg:composer/craftcms/cms@4.15.3
purl pkg:composer/craftcms/cms@4.15.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-azr5-12f8-hfbm
15
vulnerability VCID-cys8-jnmu-77ec
16
vulnerability VCID-dbcz-erbe-u7dt
17
vulnerability VCID-e94m-mj1k-8kbr
18
vulnerability VCID-eaxm-rjr7-xudb
19
vulnerability VCID-efwv-r3nc-73h9
20
vulnerability VCID-fpea-e48p-kfbn
21
vulnerability VCID-fpke-p7sz-nfc9
22
vulnerability VCID-gzry-xtu5-ukhu
23
vulnerability VCID-h6t5-pdp5-8qhe
24
vulnerability VCID-hkp9-3hzv-quhk
25
vulnerability VCID-hyct-5gap-7kdu
26
vulnerability VCID-jeyh-3jxd-z3g6
27
vulnerability VCID-jxz8-g6fq-dubw
28
vulnerability VCID-kbrc-85av-nfcn
29
vulnerability VCID-m5rf-usae-yfb7
30
vulnerability VCID-nmzu-mefv-tqeh
31
vulnerability VCID-p3n8-1sht-bfbt
32
vulnerability VCID-ppet-ruae-1kav
33
vulnerability VCID-qwmy-d2e8-5khw
34
vulnerability VCID-qywv-vf4r-8bh9
35
vulnerability VCID-rb7c-3nkc-gkeg
36
vulnerability VCID-rzq4-h1ms-nqef
37
vulnerability VCID-sa99-8awj-eycd
38
vulnerability VCID-twuy-wzb7-k7g3
39
vulnerability VCID-tzjk-x116-ayge
40
vulnerability VCID-vasz-rnn1-67ev
41
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3
1
url pkg:composer/craftcms/cms@5.7.5
purl pkg:composer/craftcms/cms@5.7.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-5tzm-738x-xka9
8
vulnerability VCID-7y4f-ef7t-47eb
9
vulnerability VCID-83rt-3tyj-qbgx
10
vulnerability VCID-8u2j-17a4-q7eh
11
vulnerability VCID-9ca4-tbhq-27ad
12
vulnerability VCID-9enr-b6zd-mbh8
13
vulnerability VCID-a3b5-pwyh-yugv
14
vulnerability VCID-a8p2-5cmc-n7g2
15
vulnerability VCID-akrv-yqnf-1kg8
16
vulnerability VCID-asek-4gme-gug8
17
vulnerability VCID-azr5-12f8-hfbm
18
vulnerability VCID-bqep-3c6u-mqhu
19
vulnerability VCID-cys8-jnmu-77ec
20
vulnerability VCID-dbcz-erbe-u7dt
21
vulnerability VCID-e94m-mj1k-8kbr
22
vulnerability VCID-eaxm-rjr7-xudb
23
vulnerability VCID-efwv-r3nc-73h9
24
vulnerability VCID-esma-wxje-eqh3
25
vulnerability VCID-fpea-e48p-kfbn
26
vulnerability VCID-fpke-p7sz-nfc9
27
vulnerability VCID-gzry-xtu5-ukhu
28
vulnerability VCID-h6t5-pdp5-8qhe
29
vulnerability VCID-hkp9-3hzv-quhk
30
vulnerability VCID-hyct-5gap-7kdu
31
vulnerability VCID-jeyh-3jxd-z3g6
32
vulnerability VCID-jnrx-e9b5-wqew
33
vulnerability VCID-jxz8-g6fq-dubw
34
vulnerability VCID-kbrc-85av-nfcn
35
vulnerability VCID-m5rf-usae-yfb7
36
vulnerability VCID-nmzu-mefv-tqeh
37
vulnerability VCID-p3n8-1sht-bfbt
38
vulnerability VCID-pgm4-svq8-tfc5
39
vulnerability VCID-ppet-ruae-1kav
40
vulnerability VCID-qywv-vf4r-8bh9
41
vulnerability VCID-rb7c-3nkc-gkeg
42
vulnerability VCID-rzq4-h1ms-nqef
43
vulnerability VCID-sa99-8awj-eycd
44
vulnerability VCID-twuy-wzb7-k7g3
45
vulnerability VCID-tzjk-x116-ayge
46
vulnerability VCID-vasz-rnn1-67ev
47
vulnerability VCID-vvhc-rnpr-ubey
48
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5
aliases CVE-2025-35939, GHSA-7vrx-9684-xrf2
risk_score 10.0
exploitability 2.0
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge
8
url VCID-qq68-3j4y-47am
vulnerability_id VCID-qq68-3j4y-47am
summary 
Craft CMS Allows Remote Code Execution
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g

This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-32432
reference_id
reference_type
scores
0
value 0.93094
scoring_system epss
scoring_elements 0.99798
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-32432
1
reference_url https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
2
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
3
reference_url https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/
url https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
4
reference_url https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/
url https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
5
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
6
reference_url https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/
url https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
7
reference_url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
8
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
9
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py
reference_id CVE-2025-32432
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-32432
reference_id CVE-2025-32432
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-32432
11
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
reference_id GHSA-4w8r-3xrw-v25g
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
12
reference_url https://github.com/advisories/GHSA-f3gw-9ww9-jmc3
reference_id GHSA-f3gw-9ww9-jmc3
reference_type
scores
url https://github.com/advisories/GHSA-f3gw-9ww9-jmc3
13
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
reference_id GHSA-f3gw-9ww9-jmc3
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
fixed_packages
0
url pkg:composer/craftcms/cms@3.9.15
purl pkg:composer/craftcms/cms@3.9.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5mnd-qvaq-k3am
1
vulnerability VCID-fpea-e48p-kfbn
2
vulnerability VCID-hkp9-3hzv-quhk
3
vulnerability VCID-jxet-d8ux-mkge
4
vulnerability VCID-rb7c-3nkc-gkeg
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.15
1
url pkg:composer/craftcms/cms@4.14.15
purl pkg:composer/craftcms/cms@4.14.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-7y4f-ef7t-47eb
8
vulnerability VCID-83rt-3tyj-qbgx
9
vulnerability VCID-8u2j-17a4-q7eh
10
vulnerability VCID-9ca4-tbhq-27ad
11
vulnerability VCID-9enr-b6zd-mbh8
12
vulnerability VCID-a3b5-pwyh-yugv
13
vulnerability VCID-akrv-yqnf-1kg8
14
vulnerability VCID-azr5-12f8-hfbm
15
vulnerability VCID-cys8-jnmu-77ec
16
vulnerability VCID-dbcz-erbe-u7dt
17
vulnerability VCID-e94m-mj1k-8kbr
18
vulnerability VCID-eaxm-rjr7-xudb
19
vulnerability VCID-efwv-r3nc-73h9
20
vulnerability VCID-fpea-e48p-kfbn
21
vulnerability VCID-fpke-p7sz-nfc9
22
vulnerability VCID-gzry-xtu5-ukhu
23
vulnerability VCID-h6t5-pdp5-8qhe
24
vulnerability VCID-hkp9-3hzv-quhk
25
vulnerability VCID-hyct-5gap-7kdu
26
vulnerability VCID-jeyh-3jxd-z3g6
27
vulnerability VCID-jxet-d8ux-mkge
28
vulnerability VCID-jxz8-g6fq-dubw
29
vulnerability VCID-kbrc-85av-nfcn
30
vulnerability VCID-m5rf-usae-yfb7
31
vulnerability VCID-nmzu-mefv-tqeh
32
vulnerability VCID-ppet-ruae-1kav
33
vulnerability VCID-qwmy-d2e8-5khw
34
vulnerability VCID-qywv-vf4r-8bh9
35
vulnerability VCID-rb7c-3nkc-gkeg
36
vulnerability VCID-rzq4-h1ms-nqef
37
vulnerability VCID-sa99-8awj-eycd
38
vulnerability VCID-twuy-wzb7-k7g3
39
vulnerability VCID-tzjk-x116-ayge
40
vulnerability VCID-vasz-rnn1-67ev
41
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15
2
url pkg:composer/craftcms/cms@5.6.17
purl pkg:composer/craftcms/cms@5.6.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-41uv-1axm-fugb
4
vulnerability VCID-4wkr-jx1w-77hn
5
vulnerability VCID-5mnd-qvaq-k3am
6
vulnerability VCID-5q5g-jrxm-eyhe
7
vulnerability VCID-5tzm-738x-xka9
8
vulnerability VCID-7y4f-ef7t-47eb
9
vulnerability VCID-83rt-3tyj-qbgx
10
vulnerability VCID-8u2j-17a4-q7eh
11
vulnerability VCID-9ca4-tbhq-27ad
12
vulnerability VCID-9enr-b6zd-mbh8
13
vulnerability VCID-a3b5-pwyh-yugv
14
vulnerability VCID-a8p2-5cmc-n7g2
15
vulnerability VCID-akrv-yqnf-1kg8
16
vulnerability VCID-asek-4gme-gug8
17
vulnerability VCID-azr5-12f8-hfbm
18
vulnerability VCID-bqep-3c6u-mqhu
19
vulnerability VCID-cys8-jnmu-77ec
20
vulnerability VCID-dbcz-erbe-u7dt
21
vulnerability VCID-e94m-mj1k-8kbr
22
vulnerability VCID-eaxm-rjr7-xudb
23
vulnerability VCID-efwv-r3nc-73h9
24
vulnerability VCID-esma-wxje-eqh3
25
vulnerability VCID-fpea-e48p-kfbn
26
vulnerability VCID-fpke-p7sz-nfc9
27
vulnerability VCID-gzry-xtu5-ukhu
28
vulnerability VCID-h6t5-pdp5-8qhe
29
vulnerability VCID-hkp9-3hzv-quhk
30
vulnerability VCID-hyct-5gap-7kdu
31
vulnerability VCID-jeyh-3jxd-z3g6
32
vulnerability VCID-jnrx-e9b5-wqew
33
vulnerability VCID-jxet-d8ux-mkge
34
vulnerability VCID-jxz8-g6fq-dubw
35
vulnerability VCID-kbrc-85av-nfcn
36
vulnerability VCID-m5rf-usae-yfb7
37
vulnerability VCID-nmzu-mefv-tqeh
38
vulnerability VCID-pgm4-svq8-tfc5
39
vulnerability VCID-ppet-ruae-1kav
40
vulnerability VCID-qywv-vf4r-8bh9
41
vulnerability VCID-rb7c-3nkc-gkeg
42
vulnerability VCID-rzq4-h1ms-nqef
43
vulnerability VCID-sa99-8awj-eycd
44
vulnerability VCID-twuy-wzb7-k7g3
45
vulnerability VCID-tzjk-x116-ayge
46
vulnerability VCID-vasz-rnn1-67ev
47
vulnerability VCID-vvhc-rnpr-ubey
48
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17
aliases CVE-2025-32432, GHSA-f3gw-9ww9-jmc3
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am
9
url VCID-rb7c-3nkc-gkeg
vulnerability_id VCID-rb7c-3nkc-gkeg
summary 
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.

Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:

https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-68437
reference_id
reference_type
scores
0
value 0.00016
scoring_system epss
scoring_elements 0.03989
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-68437
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
3
reference_url https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
reference_id
reference_type
scores
0
value 5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/
url https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68437
reference_id CVE-2025-68437
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68437
5
reference_url https://github.com/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x27p-wfqw-hfcc
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@4.16.17
purl pkg:composer/craftcms/cms@4.16.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-39ct-cg7w-kyb6
1
vulnerability VCID-41uv-1axm-fugb
2
vulnerability VCID-4wkr-jx1w-77hn
3
vulnerability VCID-5q5g-jrxm-eyhe
4
vulnerability VCID-83rt-3tyj-qbgx
5
vulnerability VCID-8u2j-17a4-q7eh
6
vulnerability VCID-9ca4-tbhq-27ad
7
vulnerability VCID-9enr-b6zd-mbh8
8
vulnerability VCID-a3b5-pwyh-yugv
9
vulnerability VCID-akrv-yqnf-1kg8
10
vulnerability VCID-azr5-12f8-hfbm
11
vulnerability VCID-cys8-jnmu-77ec
12
vulnerability VCID-e94m-mj1k-8kbr
13
vulnerability VCID-eaxm-rjr7-xudb
14
vulnerability VCID-efwv-r3nc-73h9
15
vulnerability VCID-fpea-e48p-kfbn
16
vulnerability VCID-fpke-p7sz-nfc9
17
vulnerability VCID-gzry-xtu5-ukhu
18
vulnerability VCID-hkp9-3hzv-quhk
19
vulnerability VCID-hyct-5gap-7kdu
20
vulnerability VCID-jeyh-3jxd-z3g6
21
vulnerability VCID-jxz8-g6fq-dubw
22
vulnerability VCID-kbrc-85av-nfcn
23
vulnerability VCID-m5rf-usae-yfb7
24
vulnerability VCID-nmzu-mefv-tqeh
25
vulnerability VCID-p3n8-1sht-bfbt
26
vulnerability VCID-ppet-ruae-1kav
27
vulnerability VCID-qwmy-d2e8-5khw
28
vulnerability VCID-qywv-vf4r-8bh9
29
vulnerability VCID-rzq4-h1ms-nqef
30
vulnerability VCID-sa99-8awj-eycd
31
vulnerability VCID-twuy-wzb7-k7g3
32
vulnerability VCID-tzjk-x116-ayge
33
vulnerability VCID-vasz-rnn1-67ev
34
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17
1
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-39ct-cg7w-kyb6
1
vulnerability VCID-41uv-1axm-fugb
2
vulnerability VCID-4wkr-jx1w-77hn
3
vulnerability VCID-5q5g-jrxm-eyhe
4
vulnerability VCID-5tzm-738x-xka9
5
vulnerability VCID-83rt-3tyj-qbgx
6
vulnerability VCID-8u2j-17a4-q7eh
7
vulnerability VCID-9ca4-tbhq-27ad
8
vulnerability VCID-9enr-b6zd-mbh8
9
vulnerability VCID-a3b5-pwyh-yugv
10
vulnerability VCID-a8p2-5cmc-n7g2
11
vulnerability VCID-akrv-yqnf-1kg8
12
vulnerability VCID-asek-4gme-gug8
13
vulnerability VCID-azr5-12f8-hfbm
14
vulnerability VCID-bqep-3c6u-mqhu
15
vulnerability VCID-cys8-jnmu-77ec
16
vulnerability VCID-e94m-mj1k-8kbr
17
vulnerability VCID-eaxm-rjr7-xudb
18
vulnerability VCID-efwv-r3nc-73h9
19
vulnerability VCID-esma-wxje-eqh3
20
vulnerability VCID-fpea-e48p-kfbn
21
vulnerability VCID-fpke-p7sz-nfc9
22
vulnerability VCID-gzry-xtu5-ukhu
23
vulnerability VCID-hkp9-3hzv-quhk
24
vulnerability VCID-hyct-5gap-7kdu
25
vulnerability VCID-jeyh-3jxd-z3g6
26
vulnerability VCID-jnrx-e9b5-wqew
27
vulnerability VCID-jxz8-g6fq-dubw
28
vulnerability VCID-kbrc-85av-nfcn
29
vulnerability VCID-m5rf-usae-yfb7
30
vulnerability VCID-nmzu-mefv-tqeh
31
vulnerability VCID-p3n8-1sht-bfbt
32
vulnerability VCID-pgm4-svq8-tfc5
33
vulnerability VCID-ppet-ruae-1kav
34
vulnerability VCID-qwmy-d2e8-5khw
35
vulnerability VCID-qywv-vf4r-8bh9
36
vulnerability VCID-rzq4-h1ms-nqef
37
vulnerability VCID-sa99-8awj-eycd
38
vulnerability VCID-twuy-wzb7-k7g3
39
vulnerability VCID-tzjk-x116-ayge
40
vulnerability VCID-vasz-rnn1-67ev
41
vulnerability VCID-vvhc-rnpr-ubey
42
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68437, GHSA-x27p-wfqw-hfcc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.3