{"url":"http://public2.vulnerablecode.io/api/packages/74586?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","type":"composer","namespace":"craftcms","name":"cms","version":"4.17.4","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"5.1.2","latest_non_vulnerable_version":"5.9.9","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50876?format=json","vulnerability_id":"VCID-4wkr-jx1w-77hn","summary":"CraftCMS has an RCE vulnerability via relational conditionals in the control panel\nA Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.\n\nThe `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input\nthrough `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.\n\nAny authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full\nRCE by sending a crafted condition rule via standard element listing endpoints.\n\nThis vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and\nbypasses all production hardening settings (allowAdminChanges: false, devMode: false,\nenableTwigSandbox: true).\n\nUsers should update to the patched 5.99 release to mitigate the issue.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857","reference_id":"CVE-2026-31857","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857"},{"reference_url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74586?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/74806?format=json","purl":"pkg:composer/craftcms/cms@5.9.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9"}],"aliases":["CVE-2026-31857","GHSA-fp5j-j7j4-mcxc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4wkr-jx1w-77hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50790?format=json","vulnerability_id":"VCID-hyct-5gap-7kdu","summary":"Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`.  The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113","reference_id":"CVE-2026-29113","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113"},{"reference_url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74586?format=json","purl":"pkg:composer/craftcms/cms@4.17.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/74587?format=json","purl":"pkg:composer/craftcms/cms@5.9.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7"}],"aliases":["CVE-2026-29113","GHSA-vg3j-hpm9-8v5v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyct-5gap-7kdu"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.4"}