Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/craftcms/cms@5.0.0-RC1
Typecomposer
Namespacecraftcms
Namecms
Version5.0.0-RC1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.1.2
Latest_non_vulnerable_version5.9.18
Affected_by_vulnerabilities
0
url VCID-1468-4fdx-kbfr
vulnerability_id VCID-1468-4fdx-kbfr
summary 
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.

It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.

Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

References:

https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
2
reference_url https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68454
reference_id CVE-2025-68454
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68454
4
reference_url https://github.com/advisories/GHSA-742x-x762-7383
reference_id GHSA-742x-x762-7383
reference_type
scores
url https://github.com/advisories/GHSA-742x-x762-7383
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
reference_id GHSA-742x-x762-7383
reference_type
scores
0
value 5.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68454, GHSA-742x-x762-7383
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1468-4fdx-kbfr
1
url VCID-1mb5-28xp-ckd2
vulnerability_id VCID-1mb5-28xp-ckd2
summary 
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.

Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

 Resources:

https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9

https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
reference_id
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68436
reference_id CVE-2025-68436
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68436
3
reference_url https://github.com/advisories/GHSA-53vf-c43h-j2x9
reference_id GHSA-53vf-c43h-j2x9
reference_type
scores
url https://github.com/advisories/GHSA-53vf-c43h-j2x9
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
reference_id GHSA-53vf-c43h-j2x9
reference_type
scores
0
value 4.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68436, GHSA-53vf-c43h-j2x9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1mb5-28xp-ckd2
2
url VCID-39ct-cg7w-kyb6
vulnerability_id VCID-39ct-cg7w-kyb6
summary 
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27126
reference_id CVE-2026-27126
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27126
3
reference_url https://github.com/advisories/GHSA-3jh3-prx3-w6wc
reference_id GHSA-3jh3-prx3-w6wc
reference_type
scores
url https://github.com/advisories/GHSA-3jh3-prx3-w6wc
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
reference_id GHSA-3jh3-prx3-w6wc
reference_type
scores
0
value 5.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27126, GHSA-3jh3-prx3-w6wc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-39ct-cg7w-kyb6
3
url VCID-4wkr-jx1w-77hn
vulnerability_id VCID-4wkr-jx1w-77hn
summary 
CraftCMS has an RCE vulnerability via relational conditionals in the control panel
A Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.

The `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input
through `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.

Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full
RCE by sending a crafted condition rule via standard element listing endpoints.

This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and
bypasses all production hardening settings (allowAdminChanges: false, devMode: false,
enableTwigSandbox: true).

Users should update to the patched 5.99 release to mitigate the issue.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31857
reference_id CVE-2026-31857
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31857
3
reference_url https://github.com/advisories/GHSA-fp5j-j7j4-mcxc
reference_id GHSA-fp5j-j7j4-mcxc
reference_type
scores
url https://github.com/advisories/GHSA-fp5j-j7j4-mcxc
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc
reference_id GHSA-fp5j-j7j4-mcxc
reference_type
scores
0
value 8.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.9
purl pkg:composer/craftcms/cms@5.9.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9
aliases CVE-2026-31857, GHSA-fp5j-j7j4-mcxc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4wkr-jx1w-77hn
4
url VCID-5cxe-tjpb-3qan
vulnerability_id VCID-5cxe-tjpb-3qan
summary 
Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double `file://` scheme (e.g., `file://file:////`). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads.

Note that this will only work if you have an authenticated administrator account with allowAdminChanges enabled
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52291
reference_id CVE-2024-52291
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52291
2
reference_url https://github.com/advisories/GHSA-jrh5-vhr9-qh7q
reference_id GHSA-jrh5-vhr9-qh7q
reference_type
scores
url https://github.com/advisories/GHSA-jrh5-vhr9-qh7q
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q
reference_id GHSA-jrh5-vhr9-qh7q
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q
fixed_packages
0
url pkg:composer/craftcms/cms@5.4.6
purl pkg:composer/craftcms/cms@5.4.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6
aliases CVE-2024-52291, GHSA-jrh5-vhr9-qh7q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5cxe-tjpb-3qan
5
url VCID-5mnd-qvaq-k3am
vulnerability_id VCID-5mnd-qvaq-k3am
summary 
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
2
reference_url https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68456
reference_id CVE-2025-68456
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68456
4
reference_url https://github.com/advisories/GHSA-v64r-7wg9-23pr
reference_id GHSA-v64r-7wg9-23pr
reference_type
scores
url https://github.com/advisories/GHSA-v64r-7wg9-23pr
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
reference_id GHSA-v64r-7wg9-23pr
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68456, GHSA-v64r-7wg9-23pr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am
6
url VCID-5q5g-jrxm-eyhe
vulnerability_id VCID-5q5g-jrxm-eyhe
summary 
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
references
0
reference_url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
3
reference_url https://github.com/craftcms/cms/releases/tag/4.16.19
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.19
4
reference_url https://github.com/craftcms/cms/releases/tag/5.8.23
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.23
5
reference_url https://github.com/advisories/GHSA-6j87-m5qx-9fqp
reference_id GHSA-6j87-m5qx-9fqp
reference_type
scores
url https://github.com/advisories/GHSA-6j87-m5qx-9fqp
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
reference_id GHSA-6j87-m5qx-9fqp
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases GHSA-6j87-m5qx-9fqp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5q5g-jrxm-eyhe
7
url VCID-71sv-62m4-z3er
vulnerability_id VCID-71sv-62m4-z3er
summary 
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Missing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.

`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52293
reference_id CVE-2024-52293
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52293
3
reference_url https://github.com/advisories/GHSA-f3cw-hg6r-chfv
reference_id GHSA-f3cw-hg6r-chfv
reference_type
scores
url https://github.com/advisories/GHSA-f3cw-hg6r-chfv
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
reference_id GHSA-f3cw-hg6r-chfv
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
fixed_packages
0
url pkg:composer/craftcms/cms@5.4.3
purl pkg:composer/craftcms/cms@5.4.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3
aliases CVE-2024-52293, GHSA-f3cw-hg6r-chfv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-71sv-62m4-z3er
8
url VCID-7y4f-ef7t-47eb
vulnerability_id VCID-7y4f-ef7t-47eb
summary 
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.

Leveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
2
reference_url https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
3
reference_url https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
4
reference_url https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68455
reference_id CVE-2025-68455
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68455
6
reference_url https://github.com/advisories/GHSA-255j-qw47-wjh5
reference_id GHSA-255j-qw47-wjh5
reference_type
scores
url https://github.com/advisories/GHSA-255j-qw47-wjh5
7
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
reference_id GHSA-255j-qw47-wjh5
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68455, GHSA-255j-qw47-wjh5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7y4f-ef7t-47eb
9
url VCID-8u2j-17a4-q7eh
vulnerability_id VCID-8u2j-17a4-q7eh
summary 
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197
2
reference_url https://github.com/craftcms/cms/pull/18216
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/pull/18216
3
reference_url https://github.com/craftcms/cms/pull/18219
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/pull/18219
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28697
reference_id CVE-2026-28697
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28697
5
reference_url https://github.com/advisories/GHSA-v47q-jxvr-p68x
reference_id GHSA-v47q-jxvr-p68x
reference_type
scores
url https://github.com/advisories/GHSA-v47q-jxvr-p68x
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x
reference_id GHSA-v47q-jxvr-p68x
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28697, GHSA-v47q-jxvr-p68x
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8u2j-17a4-q7eh
10
url VCID-9enr-b6zd-mbh8
vulnerability_id VCID-9enr-b6zd-mbh8
summary 
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25498
reference_id CVE-2026-25498
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25498
5
reference_url https://github.com/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
url https://github.com/advisories/GHSA-7jx7-3846-m7w7
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25498, GHSA-7jx7-3846-m7w7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9enr-b6zd-mbh8
11
url VCID-a3b5-pwyh-yugv
vulnerability_id VCID-a3b5-pwyh-yugv
summary 
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.

To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.

For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27128
reference_id CVE-2026-27128
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27128
3
reference_url https://github.com/advisories/GHSA-6fx5-5cw5-4897
reference_id GHSA-6fx5-5cw5-4897
reference_type
scores
url https://github.com/advisories/GHSA-6fx5-5cw5-4897
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897
reference_id GHSA-6fx5-5cw5-4897
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27128, GHSA-6fx5-5cw5-4897
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a3b5-pwyh-yugv
12
url VCID-akrv-yqnf-1kg8
vulnerability_id VCID-akrv-yqnf-1kg8
summary 
Craft CMS has unauthenticated activation email trigger with potential user enumeration
The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.

The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.

Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29069
reference_id CVE-2026-29069
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29069
3
reference_url https://github.com/advisories/GHSA-234q-vvw3-mrfq
reference_id GHSA-234q-vvw3-mrfq
reference_type
scores
url https://github.com/advisories/GHSA-234q-vvw3-mrfq
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq
reference_id GHSA-234q-vvw3-mrfq
reference_type
scores
0
value 7.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.2
purl pkg:composer/craftcms/cms@5.9.0-beta.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2
aliases CVE-2026-29069, GHSA-234q-vvw3-mrfq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-akrv-yqnf-1kg8
13
url VCID-azr5-12f8-hfbm
vulnerability_id VCID-azr5-12f8-hfbm
summary 
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.

It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.

Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.

References:

https://github.com/craftcms/cms/pull/18208
references
0
reference_url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/pull/18208
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/pull/18208
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28784
reference_id CVE-2026-28784
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28784
4
reference_url https://github.com/advisories/GHSA-qc86-q28f-ggww
reference_id GHSA-qc86-q28f-ggww
reference_type
scores
url https://github.com/advisories/GHSA-qc86-q28f-ggww
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww
reference_id GHSA-qc86-q28f-ggww
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28784, GHSA-qc86-q28f-ggww
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-azr5-12f8-hfbm
14
url VCID-c2nk-y4rx-1qf4
vulnerability_id VCID-c2nk-y4rx-1qf4
summary 
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
You are affected if your php.ini configuration has `register_argc_argv` enabled.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
2
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
3
reference_url https://github.com/Chocapikk/CVE-2024-56145
reference_id CVE-2024-56145
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Chocapikk/CVE-2024-56145
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-56145
reference_id CVE-2024-56145
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-56145
5
reference_url https://github.com/advisories/GHSA-2p6p-9rc9-62j9
reference_id GHSA-2p6p-9rc9-62j9
reference_type
scores
url https://github.com/advisories/GHSA-2p6p-9rc9-62j9
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
reference_id GHSA-2p6p-9rc9-62j9
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
fixed_packages
0
url pkg:composer/craftcms/cms@5.5.2
purl pkg:composer/craftcms/cms@5.5.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2
aliases CVE-2024-56145, GHSA-2p6p-9rc9-62j9
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4
15
url VCID-cys8-jnmu-77ec
vulnerability_id VCID-cys8-jnmu-77ec
summary 
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
The `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25494
reference_id CVE-2026-25494
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25494
5
reference_url https://github.com/advisories/GHSA-m5r2-8p9x-hp5m
reference_id GHSA-m5r2-8p9x-hp5m
reference_type
scores
url https://github.com/advisories/GHSA-m5r2-8p9x-hp5m
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m
reference_id GHSA-m5r2-8p9x-hp5m
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25494, GHSA-m5r2-8p9x-hp5m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cys8-jnmu-77ec
16
url VCID-esma-wxje-eqh3
vulnerability_id VCID-esma-wxje-eqh3
summary 
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.

> [!NOTE]
> This is a separate vulnerability from the previously reported "[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)" and "[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)". This affects a different sink: the individual user's permissions page.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
2
reference_url https://github.com/advisories/GHSA-g3hp-vvqf-8vw6
reference_id GHSA-g3hp-vvqf-8vw6
reference_type
scores
url https://github.com/advisories/GHSA-g3hp-vvqf-8vw6
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6
reference_id GHSA-g3hp-vvqf-8vw6
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases GHSA-g3hp-vvqf-8vw6
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-esma-wxje-eqh3
17
url VCID-fpea-e48p-kfbn
vulnerability_id VCID-fpea-e48p-kfbn
summary 
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.

This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.
references
0
reference_url https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
3
reference_url https://github.com/mogwailabs/DNSrebinder
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mogwailabs/DNSrebinder
4
reference_url https://github.com/nccgroup/singularity
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nccgroup/singularity
5
reference_url https://github.com/taviso/rbndr
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/taviso/rbndr
6
reference_url https://unit42.paloaltonetworks.com/dns-rebinding
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://unit42.paloaltonetworks.com/dns-rebinding
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27127
reference_id CVE-2026-27127
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27127
8
reference_url https://github.com/advisories/GHSA-gp2f-7wcm-5fhx
reference_id GHSA-gp2f-7wcm-5fhx
reference_type
scores
url https://github.com/advisories/GHSA-gp2f-7wcm-5fhx
9
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
reference_id GHSA-gp2f-7wcm-5fhx
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
10
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27127, GHSA-gp2f-7wcm-5fhx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fpea-e48p-kfbn
18
url VCID-h6t5-pdp5-8qhe
vulnerability_id VCID-h6t5-pdp5-8qhe
summary 
Craft CMS Potential Remote Code Execution via Twig SSTI
Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Note: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)

Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.

Resources: https://github.com/craftcms/cms/pull/17612
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc
2
reference_url https://github.com/craftcms/cms/pull/17612
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/pull/17612
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-57811
reference_id CVE-2025-57811
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-57811
4
reference_url https://github.com/advisories/GHSA-crcq-738g-pqvc
reference_id GHSA-crcq-738g-pqvc
reference_type
scores
url https://github.com/advisories/GHSA-crcq-738g-pqvc
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc
reference_id GHSA-crcq-738g-pqvc
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
reference_id GHSA-f3cw-hg6r-chfv
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.7
purl pkg:composer/craftcms/cms@5.8.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-qwmy-d2e8-5khw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7
aliases CVE-2025-57811, GHSA-crcq-738g-pqvc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h6t5-pdp5-8qhe
19
url VCID-hkp9-3hzv-quhk
vulnerability_id VCID-hkp9-3hzv-quhk
summary 
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.

This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27129
reference_id CVE-2026-27129
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27129
3
reference_url https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
reference_id GHSA-v2gc-rm6g-wrw9
reference_type
scores
url https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
reference_id GHSA-v2gc-rm6g-wrw9
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value 5.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.23
purl pkg:composer/craftcms/cms@5.8.23
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23
aliases CVE-2026-27129, GHSA-v2gc-rm6g-wrw9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hkp9-3hzv-quhk
20
url VCID-hyct-5gap-7kdu
vulnerability_id VCID-hyct-5gap-7kdu
summary 
Craft CMS has a potential information disclosure vulnerability in preview tokens
Craft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`.  The endpoint accepts an attacker-supplied `previewToken`.

Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.

That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29113
reference_id CVE-2026-29113
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29113
3
reference_url https://github.com/advisories/GHSA-vg3j-hpm9-8v5v
reference_id GHSA-vg3j-hpm9-8v5v
reference_type
scores
url https://github.com/advisories/GHSA-vg3j-hpm9-8v5v
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v
reference_id GHSA-vg3j-hpm9-8v5v
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.7
purl pkg:composer/craftcms/cms@5.9.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7
aliases CVE-2026-29113, GHSA-vg3j-hpm9-8v5v
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hyct-5gap-7kdu
21
url VCID-jeyh-3jxd-z3g6
vulnerability_id VCID-jeyh-3jxd-z3g6
summary 
Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
The `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.
An attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).

> [!NOTE]
> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25495
reference_id CVE-2026-25495
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25495
5
reference_url https://github.com/advisories/GHSA-2453-mppf-46cj
reference_id GHSA-2453-mppf-46cj
reference_type
scores
url https://github.com/advisories/GHSA-2453-mppf-46cj
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
reference_id GHSA-2453-mppf-46cj
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25495, GHSA-2453-mppf-46cj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jeyh-3jxd-z3g6
22
url VCID-jsfs-azcs-mfcm
vulnerability_id VCID-jsfs-azcs-mfcm
summary 
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Note: This is a follow-up to https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

Users should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.
references
0
reference_url http://github.com/craftcms/cms/pull/17026
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://github.com/craftcms/cms/pull/17026
1
reference_url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
2
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-46731
reference_id CVE-2025-46731
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-46731
4
reference_url https://github.com/advisories/GHSA-7c58-g782-9j38
reference_id GHSA-7c58-g782-9j38
reference_type
scores
url https://github.com/advisories/GHSA-7c58-g782-9j38
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38
reference_id GHSA-7c58-g782-9j38
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
reference_id GHSA-f3cw-hg6r-chfv
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
fixed_packages
0
url pkg:composer/craftcms/cms@5.6.15
purl pkg:composer/craftcms/cms@5.6.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15
aliases CVE-2025-46731, GHSA-7c58-g782-9j38
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jsfs-azcs-mfcm
23
url VCID-jxz8-g6fq-dubw
vulnerability_id VCID-jxz8-g6fq-dubw
summary 
Craft CMS: Entries Authorship Spoofing via Mass Assignment
The entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with "Create Entries" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.

Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8
2
reference_url https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28781
reference_id CVE-2026-28781
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28781
4
reference_url https://github.com/advisories/GHSA-2xfc-g69j-x2mp
reference_id GHSA-2xfc-g69j-x2mp
reference_type
scores
url https://github.com/advisories/GHSA-2xfc-g69j-x2mp
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp
reference_id GHSA-2xfc-g69j-x2mp
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28781, GHSA-2xfc-g69j-x2mp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz8-g6fq-dubw
24
url VCID-kbrc-85av-nfcn
vulnerability_id VCID-kbrc-85av-nfcn
summary 
Craft CMS: GraphQL Asset Mutation Privilege Escalation
Type: Privilege Escalation (CWE-269)
Affected: Craft CMS 5.x (likely affects 4.x and 3.x as well)
Location: `src/gql/resolvers/mutations/Asset.php lines 57-107`
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409
2
reference_url https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25497
reference_id CVE-2026-25497
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25497
6
reference_url https://github.com/advisories/GHSA-fxp3-g6gw-4r4v
reference_id GHSA-fxp3-g6gw-4r4v
reference_type
scores
url https://github.com/advisories/GHSA-fxp3-g6gw-4r4v
7
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v
reference_id GHSA-fxp3-g6gw-4r4v
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-25497, GHSA-fxp3-g6gw-4r4v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kbrc-85av-nfcn
25
url VCID-m5rf-usae-yfb7
vulnerability_id VCID-m5rf-usae-yfb7
summary 
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
2
reference_url https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276
3
reference_url https://github.com/advisories/GHSA-4mgv-366x-qxvx
reference_id GHSA-4mgv-366x-qxvx
reference_type
scores
url https://github.com/advisories/GHSA-4mgv-366x-qxvx
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx
reference_id GHSA-4mgv-366x-qxvx
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases GHSA-4mgv-366x-qxvx
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m5rf-usae-yfb7
26
url VCID-pgm4-svq8-tfc5
vulnerability_id VCID-pgm4-svq8-tfc5
summary 
CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that
was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).

The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.

Any authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,
`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.

Users should update to the patched 5.9.9 release to mitigate the issue.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31858
reference_id CVE-2026-31858
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31858
3
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
reference_id GHSA-2453-mppf-46cj
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj
4
reference_url https://github.com/advisories/GHSA-g7j6-fmwx-7vp8
reference_id GHSA-g7j6-fmwx-7vp8
reference_type
scores
url https://github.com/advisories/GHSA-g7j6-fmwx-7vp8
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8
reference_id GHSA-g7j6-fmwx-7vp8
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.9
purl pkg:composer/craftcms/cms@5.9.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9
aliases CVE-2026-31858, GHSA-g7j6-fmwx-7vp8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pgm4-svq8-tfc5
27
url VCID-ppet-ruae-1kav
vulnerability_id VCID-ppet-ruae-1kav
summary 
Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
The `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25493
reference_id CVE-2026-25493
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25493
5
reference_url https://github.com/advisories/GHSA-8jr8-7hr4-vhfx
reference_id GHSA-8jr8-7hr4-vhfx
reference_type
scores
url https://github.com/advisories/GHSA-8jr8-7hr4-vhfx
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
reference_id GHSA-8jr8-7hr4-vhfx
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25493, GHSA-8jr8-7hr4-vhfx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ppet-ruae-1kav
28
url VCID-qq68-3j4y-47am
vulnerability_id VCID-qq68-3j4y-47am
summary 
Craft CMS Allows Remote Code Execution
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g

This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.
references
0
reference_url https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
3
reference_url https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
4
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
5
reference_url https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
6
reference_url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms
7
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432
8
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py
reference_id CVE-2025-32432
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-32432
reference_id CVE-2025-32432
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-32432
10
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
reference_id GHSA-4w8r-3xrw-v25g
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
11
reference_url https://github.com/advisories/GHSA-f3gw-9ww9-jmc3
reference_id GHSA-f3gw-9ww9-jmc3
reference_type
scores
url https://github.com/advisories/GHSA-f3gw-9ww9-jmc3
12
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
reference_id GHSA-f3gw-9ww9-jmc3
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
fixed_packages
0
url pkg:composer/craftcms/cms@5.6.17
purl pkg:composer/craftcms/cms@5.6.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17
aliases CVE-2025-32432, GHSA-f3gw-9ww9-jmc3
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am
29
url VCID-qywv-vf4r-8bh9
vulnerability_id VCID-qywv-vf4r-8bh9
summary 
Craft CMS has IDOR via GraphQL @parseRefs
The GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28696
reference_id CVE-2026-28696
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28696
3
reference_url https://github.com/advisories/GHSA-7x43-mpfg-r9wj
reference_id GHSA-7x43-mpfg-r9wj
reference_type
scores
url https://github.com/advisories/GHSA-7x43-mpfg-r9wj
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj
reference_id GHSA-7x43-mpfg-r9wj
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28696, GHSA-7x43-mpfg-r9wj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qywv-vf4r-8bh9
30
url VCID-r5hp-5nju-9ubz
vulnerability_id VCID-r5hp-5nju-9ubz
summary 
Craft CMS has a potential RCE with a compromised security key
This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.

https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret

Anyone running an unpatched version of Craft with a compromised security key is affected.
references
0
reference_url https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
3
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
reference_id
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-23209
reference_id CVE-2025-23209
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-23209
5
reference_url https://github.com/advisories/GHSA-x684-96hh-833x
reference_id GHSA-x684-96hh-833x
reference_type
scores
url https://github.com/advisories/GHSA-x684-96hh-833x
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
reference_id GHSA-x684-96hh-833x
reference_type
scores
0
value 8.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
fixed_packages
0
url pkg:composer/craftcms/cms@5.5.8
purl pkg:composer/craftcms/cms@5.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dbcz-erbe-u7dt
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8
aliases CVE-2025-23209, GHSA-x684-96hh-833x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r5hp-5nju-9ubz
31
url VCID-rb7c-3nkc-gkeg
vulnerability_id VCID-rb7c-3nkc-gkeg
summary 
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.

Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:

https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
2
reference_url https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68437
reference_id CVE-2025-68437
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-68437
4
reference_url https://github.com/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
url https://github.com/advisories/GHSA-x27p-wfqw-hfcc
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
reference_id GHSA-x27p-wfqw-hfcc
reference_type
scores
0
value 5.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.21
purl pkg:composer/craftcms/cms@5.8.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21
aliases CVE-2025-68437, GHSA-x27p-wfqw-hfcc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg
32
url VCID-twuy-wzb7-k7g3
vulnerability_id VCID-twuy-wzb7-k7g3
summary 
Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
A stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513
2
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/4.16.18
3
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25496
reference_id CVE-2026-25496
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25496
5
reference_url https://github.com/advisories/GHSA-9f5h-mmq6-2x78
reference_id GHSA-9f5h-mmq6-2x78
reference_type
scores
url https://github.com/advisories/GHSA-9f5h-mmq6-2x78
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
reference_id GHSA-9f5h-mmq6-2x78
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25496, GHSA-9f5h-mmq6-2x78
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-twuy-wzb7-k7g3
33
url VCID-vasz-rnn1-67ev
vulnerability_id VCID-vasz-rnn1-67ev
summary 
Craft CMS has Twig Function Blocklist Bypass
Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.

In order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.

Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.

Twig has already deprecated this behavior, and it will eventually be removed from Twig altogether.

https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096

This has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.

Existing projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/pull/18208
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/pull/18208
2
reference_url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
reference_id CVE-2026-28783
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
4
reference_url https://github.com/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
url https://github.com/advisories/GHSA-5fvc-7894-ghp4
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28783, GHSA-5fvc-7894-ghp4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vasz-rnn1-67ev
34
url VCID-vvhc-rnpr-ubey
vulnerability_id VCID-vvhc-rnpr-ubey
summary 
Craft CMS Vulnerable to Stored XSS in Entry Types Name
Stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.

---
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4
2
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/releases/tag/5.8.22
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25491
reference_id CVE-2026-25491
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25491
4
reference_url https://github.com/advisories/GHSA-7pr4-wx9w-mqwr
reference_id GHSA-7pr4-wx9w-mqwr
reference_type
scores
url https://github.com/advisories/GHSA-7pr4-wx9w-mqwr
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr
reference_id GHSA-7pr4-wx9w-mqwr
reference_type
scores
0
value 1.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr
fixed_packages
0
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
aliases CVE-2026-25491, GHSA-7pr4-wx9w-mqwr
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vvhc-rnpr-ubey
35
url VCID-w9yn-1573-hyau
vulnerability_id VCID-w9yn-1573-hyau
summary 
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements.
Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request.

Furthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.
references
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28782
reference_id CVE-2026-28782
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28782
3
reference_url https://github.com/advisories/GHSA-jxm3-pmm2-9gf6
reference_id GHSA-jxm3-pmm2-9gf6
reference_type
scores
url https://github.com/advisories/GHSA-jxm3-pmm2-9gf6
4
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
reference_id GHSA-jxm3-pmm2-9gf6
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
fixed_packages
0
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
aliases CVE-2026-28782, GHSA-jxm3-pmm2-9gf6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w9yn-1573-hyau
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1