Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/82280?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/82280?format=api", "purl": "pkg:composer/craftcms/cms@5.2.2", "type": "composer", "namespace": "craftcms", "name": "cms", "version": "5.2.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.9.15", "latest_non_vulnerable_version": "5.9.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/261762?format=api", "vulnerability_id": "VCID-2hpx-adwu-jka3", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41800", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00258", "scoring_system": "epss", "scoring_elements": "0.49376", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-41800" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-26T15:26:45Z/" } ], "url": "https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-26T15:26:45Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.2.3" }, { "reference_url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-26T15:26:45Z/" } ], "url": "https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41800", "reference_id": "CVE-2024-41800", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41800" }, { "reference_url": "https://github.com/advisories/GHSA-wmx7-pw49-88jx", "reference_id": "GHSA-wmx7-pw49-88jx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wmx7-pw49-88jx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx", "reference_id": "GHSA-wmx7-pw49-88jx", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-26T15:26:45Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82281?format=api", "purl": "pkg:composer/craftcms/cms@5.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-n648-rgev-bydr" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-pjsn-x6mp-57c9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-tshq-ktbd-juak" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-wj8y-tapy-p3f1" }, { "vulnerability": "VCID-wx6u-ss6p-3ue3" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.2.3" } ], "aliases": [ "CVE-2024-41800", "GHSA-wmx7-pw49-88jx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2hpx-adwu-jka3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21983?format=api", "vulnerability_id": "VCID-2re8-4twc-eqez", "summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.7112", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68454" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454", "reference_id": "CVE-2025-68454", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68454" }, { "reference_url": "https://github.com/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-742x-x762-7383" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383", "reference_id": "GHSA-742x-x762-7383", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71963?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68454", "GHSA-742x-x762-7383" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2re8-4twc-eqez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/300857?format=api", "vulnerability_id": "VCID-33wy-gw8z-gud7", "summary": "", "references": [ { "reference_url": "http://github.com/craftcms/cms/pull/17026", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://github.com/craftcms/cms/pull/17026" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00909", "scoring_system": "epss", "scoring_elements": "0.76153", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46731" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46731" }, { "reference_url": "https://github.com/advisories/GHSA-7c58-g782-9j38", "reference_id": "GHSA-7c58-g782-9j38", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7c58-g782-9j38" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/196198?format=api", "purl": "pkg:composer/craftcms/cms@5.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zbrb-dmub-67as" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.15" } ], "aliases": [ "CVE-2025-46731", "GHSA-7c58-g782-9j38" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-33wy-gw8z-gud7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/328595?format=api", "vulnerability_id": "VCID-3u81-kkt8-j7e7", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02764", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33158" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T20:24:35Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33158" }, { "reference_url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c", "reference_id": "GHSA-3pvf-vxrv-hh9c", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3pvf-vxrv-hh9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/190216?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33158", "GHSA-3pvf-vxrv-hh9c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3u81-kkt8-j7e7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22949?format=api", "vulnerability_id": "VCID-4zfr-4pgf-zke4", "summary": "Craft CMS Vulnerable to Authenticated RCE via \"craft.app.fs.write()\" in Twig Templates\nAn authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00208", "scoring_system": "epss", "scoring_elements": "0.43203", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28697" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197" }, { "reference_url": "https://github.com/craftcms/cms/pull/18216", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18216" }, { "reference_url": "https://github.com/craftcms/cms/pull/18219", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/pull/18219" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697", "reference_id": "CVE-2026-28697", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697" }, { "reference_url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v47q-jxvr-p68x" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x", "reference_id": "GHSA-v47q-jxvr-p68x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-04T18:02:12Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28697", "GHSA-v47q-jxvr-p68x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4zfr-4pgf-zke4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22482?format=api", "vulnerability_id": "VCID-51qg-ehr3-3qeu", "summary": "Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation\nThe `saveAsset` GraphQL mutation uses `filter_var(..., FILTER_VALIDATE_IP)` to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05224", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25494" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494", "reference_id": "CVE-2026-25494", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25494" }, { "reference_url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m5r2-8p9x-hp5m" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m", "reference_id": "GHSA-m5r2-8p9x-hp5m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:49Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25494", "GHSA-m5r2-8p9x-hp5m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-51qg-ehr3-3qeu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21982?format=api", "vulnerability_id": "VCID-5h4n-14xc-uuf6", "summary": "Craft CMS vulnerable to potential information disclosure via unchecked asset relocation\nAuthenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\n Resources:\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9\n\nhttps://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17789", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68436" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436", "reference_id": "CVE-2025-68436", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68436" }, { "reference_url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53vf-c43h-j2x9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9", "reference_id": "GHSA-53vf-c43h-j2x9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71963?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68436", "GHSA-53vf-c43h-j2x9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5h4n-14xc-uuf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23197?format=api", "vulnerability_id": "VCID-68jz-k8d5-u7dk", "summary": "Craft CMS has a potential information disclosure vulnerability in preview tokens\nCraft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`.\n\nBecause the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.\n\nThat token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00696", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29113" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113", "reference_id": "CVE-2026-29113", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29113" }, { "reference_url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vg3j-hpm9-8v5v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "reference_id": "GHSA-vg3j-hpm9-8v5v", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T20:05:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73374?format=api", "purl": "pkg:composer/craftcms/cms@5.9.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.7" } ], "aliases": [ "CVE-2026-29113", "GHSA-vg3j-hpm9-8v5v" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-68jz-k8d5-u7dk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21991?format=api", "vulnerability_id": "VCID-6epu-syvm-d3ed", "summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4) The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01513", "scoring_system": "epss", "scoring_elements": "0.81517", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68455" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7" }, { "reference_url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef" }, { "reference_url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455", "reference_id": "CVE-2025-68455", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455" }, { "reference_url": "https://github.com/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5", "reference_id": "GHSA-255j-qw47-wjh5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-06T14:26:28Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71963?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68455", "GHSA-255j-qw47-wjh5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6epu-syvm-d3ed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23266?format=api", "vulnerability_id": "VCID-76vz-cxx8-z7fc", "summary": "Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page\nA stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.\n\n> [!NOTE]\n> This is a separate vulnerability from the previously reported \"[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)\" and \"[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)\". This affects a different sink: the individual user's permissions page.", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/advisories/GHSA-g3hp-vvqf-8vw6", "reference_id": "GHSA-g3hp-vvqf-8vw6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g3hp-vvqf-8vw6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6", "reference_id": "GHSA-g3hp-vvqf-8vw6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "GHSA-g3hp-vvqf-8vw6" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-76vz-cxx8-z7fc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22483?format=api", "vulnerability_id": "VCID-7b71-dsva-cfan", "summary": "Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields\nA stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the `|md|raw` Twig filter without proper escaping, allowing script execution when the Number field is displayed on users' profiles.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06771", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25496" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/cb5fb0e979e72f315c9178fc031883d49527f513" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496", "reference_id": "CVE-2026-25496", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25496" }, { "reference_url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9f5h-mmq6-2x78" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78", "reference_id": "GHSA-9f5h-mmq6-2x78", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-9f5h-mmq6-2x78" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25496", "GHSA-9f5h-mmq6-2x78" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7b71-dsva-cfan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22485?format=api", "vulnerability_id": "VCID-ccwe-z8nr-3qhq", "summary": "Craft CMS: GraphQL Asset Mutation Privilege Escalation\nType: Privilege Escalation (CWE-269)\nAffected: Craft CMS 5.x (likely affects 4.x and 3.x as well)\nLocation: `src/gql/resolvers/mutations/Asset.php lines 57-107`", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06328", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25497" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.0-beta.1" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.0-beta.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497", "reference_id": "CVE-2026-25497", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25497" }, { "reference_url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxp3-g6gw-4r4v" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v", "reference_id": "GHSA-fxp3-g6gw-4r4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-25497", "GHSA-fxp3-g6gw-4r4v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ccwe-z8nr-3qhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23049?format=api", "vulnerability_id": "VCID-ch5h-xzgt-6kgs", "summary": "Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action\nThe \"Duplicate\" entry action does not properly verify if the user has permission to perform this action on the specific target elements.\nEven with only \"View Entries\" permission (where the \"Duplicate\" action is restricted in the UI), a user can bypass this restriction by sending a direct request.\n\nFurthermore, this vulnerability allows duplicating **other users' entries** by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12972", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28782" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782", "reference_id": "CVE-2026-28782", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782" }, { "reference_url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jxm3-pmm2-9gf6" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6", "reference_id": "GHSA-jxm3-pmm2-9gf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28782", "GHSA-jxm3-pmm2-9gf6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ch5h-xzgt-6kgs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22740?format=api", "vulnerability_id": "VCID-efkn-13cf-97c3", "summary": "Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc))", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01554", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27129" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129", "reference_id": "CVE-2026-27129", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27129" }, { "reference_url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "reference_id": "GHSA-v2gc-rm6g-wrw9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72975?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27129", "GHSA-v2gc-rm6g-wrw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-efkn-13cf-97c3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22952?format=api", "vulnerability_id": "VCID-ejv9-c3hf-jfax", "summary": "Craft CMS has Twig Function Blocklist Bypass\nCraft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.\n\nIn order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.\n\nSeveral PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.\n\nTwig has already deprecated this behavior, and it will eventually be removed from Twig altogether.\n\nhttps://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096\n\nThis has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.\n\nExisting projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11162", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28783" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783", "reference_id": "CVE-2026-28783", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783" }, { "reference_url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5fvc-7894-ghp4" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4", "reference_id": "GHSA-5fvc-7894-ghp4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28783", "GHSA-5fvc-7894-ghp4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ejv9-c3hf-jfax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22769?format=api", "vulnerability_id": "VCID-g17s-3ghd-5fhm", "summary": "Craft CMS has Stored XSS in Table Field in its \"Row Heading\" Column Type\nA stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.", "references": [ { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.19", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.19" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.23", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.23" }, { "reference_url": "https://github.com/advisories/GHSA-6j87-m5qx-9fqp", "reference_id": "GHSA-6j87-m5qx-9fqp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6j87-m5qx-9fqp" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp", "reference_id": "GHSA-6j87-m5qx-9fqp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72975?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "GHSA-6j87-m5qx-9fqp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g17s-3ghd-5fhm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23020?format=api", "vulnerability_id": "VCID-j9n2-1u2k-ckc5", "summary": "Craft CMS has potential authenticated Remote Code Execution via Twig SSTI\nFor this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nAlternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.\n\nIt is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.\n\nUsers should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.\n\nReferences:\n\nhttps://github.com/craftcms/cms/pull/18208", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0631", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28784" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/pull/18208", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/pull/18208" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784", "reference_id": "CVE-2026-28784", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784" }, { "reference_url": "https://github.com/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qc86-q28f-ggww" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww", "reference_id": "GHSA-qc86-q28f-ggww", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:32:46Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28784", "GHSA-qc86-q28f-ggww" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j9n2-1u2k-ckc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/307843?format=api", "vulnerability_id": "VCID-jxub-yja7-2qhf", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00227", "scoring_system": "epss", "scoring_elements": "0.45524", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-57811" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc" }, { "reference_url": "https://github.com/craftcms/cms/pull/17612", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/pull/17612" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57811" }, { "reference_url": "https://github.com/advisories/GHSA-crcq-738g-pqvc", "reference_id": "GHSA-crcq-738g-pqvc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-crcq-738g-pqvc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73199?format=api", "purl": "pkg:composer/craftcms/cms@5.8.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7" } ], "aliases": [ "CVE-2025-57811", "GHSA-crcq-738g-pqvc" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jxub-yja7-2qhf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22478?format=api", "vulnerability_id": "VCID-jy6d-5zfh-7ycp", "summary": "Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00315", "scoring_system": "epss", "scoring_elements": "0.54864", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25498" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498", "reference_id": "CVE-2026-25498", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25498" }, { "reference_url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:09Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25498", "GHSA-7jx7-3846-m7w7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jy6d-5zfh-7ycp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23019?format=api", "vulnerability_id": "VCID-m28c-yq43-a7cq", "summary": "Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options\nStored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.\n\n---", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2" }, { "reference_url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276" }, { "reference_url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4mgv-366x-qxvx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx", "reference_id": "GHSA-4mgv-366x-qxvx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4mgv-366x-qxvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "GHSA-4mgv-366x-qxvx" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m28c-yq43-a7cq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/328596?format=api", "vulnerability_id": "VCID-mfvj-g7bk-h3hw", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08817", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33159" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33159" }, { "reference_url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w", "reference_id": "GHSA-6mrr-q3pj-h53w", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mrr-q3pj-h53w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/190216?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33159", "GHSA-6mrr-q3pj-h53w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mfvj-g7bk-h3hw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/286926?format=api", "vulnerability_id": "VCID-n648-rgev-bydr", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.1639", "scoring_system": "epss", "scoring_elements": "0.9498", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-23209" }, { "reference_url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-21T04:56:13Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23209" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209" }, { "reference_url": "https://github.com/advisories/GHSA-x684-96hh-833x", "reference_id": "GHSA-x684-96hh-833x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x684-96hh-833x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/193934?format=api", "purl": "pkg:composer/craftcms/cms@5.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zbrb-dmub-67as" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.8" } ], "aliases": [ "CVE-2025-23209", "GHSA-x684-96hh-833x" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n648-rgev-bydr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22708?format=api", "vulnerability_id": "VCID-ntx4-ssgk-jqgh", "summary": "Craft CMS has Stored XSS in Table Field via \"HTML\" Column Type\nA stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27126", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01801", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27126" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/" } ], "url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27126", "reference_id": "CVE-2026-27126", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27126" }, { "reference_url": "https://github.com/advisories/GHSA-3jh3-prx3-w6wc", "reference_id": "GHSA-3jh3-prx3-w6wc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3jh3-prx3-w6wc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc", "reference_id": "GHSA-3jh3-prx3-w6wc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:33:58Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72975?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27126", "GHSA-3jh3-prx3-w6wc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ntx4-ssgk-jqgh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/295255?format=api", "vulnerability_id": "VCID-nyqy-y3dw-eyer", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.33065", "scoring_system": "epss", "scoring_elements": "0.9698", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-35939" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2" }, { "reference_url": "https://github.com/craftcms/cms/pull/17220", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" } ], "url": "https://github.com/craftcms/cms/pull/17220" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.15.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.15.3" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.7.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.7.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35939" }, { "reference_url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939" }, { "reference_url": "https://www.cve.org/CVERecord?id=CVE-2025-35939", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/" }, { "value": "Attend", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/" } ], "url": "https://www.cve.org/CVERecord?id=CVE-2025-35939" }, { "reference_url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2", "reference_id": "GHSA-7vrx-9684-xrf2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7vrx-9684-xrf2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73576?format=api", "purl": "pkg:composer/craftcms/cms@5.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zbrb-dmub-67as" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5" } ], "aliases": [ "CVE-2025-35939", "GHSA-7vrx-9684-xrf2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nyqy-y3dw-eyer" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21996?format=api", "vulnerability_id": "VCID-pggs-g9c8-w7d1", "summary": "Unauthenticated Craft CMS users can trigger a database backup\nUnauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:\n\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00219", "scoring_system": "epss", "scoring_elements": "0.44587", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68456" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456", "reference_id": "CVE-2025-68456", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68456" }, { "reference_url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v64r-7wg9-23pr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr", "reference_id": "GHSA-v64r-7wg9-23pr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71963?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68456", "GHSA-v64r-7wg9-23pr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pggs-g9c8-w7d1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/269697?format=api", "vulnerability_id": "VCID-pjsn-x6mp-57c9", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00428", "scoring_system": "epss", "scoring_elements": "0.62721", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52292" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T18:52:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52292" }, { "reference_url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w", "reference_id": "GHSA-cw6g-qmjq-6w2w", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cw6g-qmjq-6w2w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/187819?format=api", "purl": "pkg:composer/craftcms/cms@5.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-n648-rgev-bydr" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-wx6u-ss6p-3ue3" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.9" } ], "aliases": [ "CVE-2024-52292", "GHSA-cw6g-qmjq-6w2w" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pjsn-x6mp-57c9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/328597?format=api", "vulnerability_id": "VCID-q1jg-5qq3-zkbv", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00016", "scoring_system": "epss", "scoring_elements": "0.03755", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5pgf-h923-m958" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33160" }, { "reference_url": "https://github.com/craftcms/cms/commit/7290d91639e", "reference_id": "7290d91639e", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T19:31:42Z/" } ], "url": "https://github.com/craftcms/cms/commit/7290d91639e" }, { "reference_url": "https://github.com/advisories/GHSA-5pgf-h923-m958", "reference_id": "GHSA-5pgf-h923-m958", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5pgf-h923-m958" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/190216?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33160", "GHSA-5pgf-h923-m958" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q1jg-5qq3-zkbv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23274?format=api", "vulnerability_id": "VCID-rhm7-ju23-yuby", "summary": "CraftCMS's `ElementSearchController` Affected by Blind SQL Injection\nThe `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that\nwas added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).\n\nThe exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.\n\nAny authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,\n`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.\n\nUsers should update to the patched 5.9.9 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31858", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13516", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31858" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31858", "reference_id": "CVE-2026-31858", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31858" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/advisories/GHSA-g7j6-fmwx-7vp8", "reference_id": "GHSA-g7j6-fmwx-7vp8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g7j6-fmwx-7vp8" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8", "reference_id": "GHSA-g7j6-fmwx-7vp8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:01:02Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73593?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31858", "GHSA-g7j6-fmwx-7vp8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rhm7-ju23-yuby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/328598?format=api", "vulnerability_id": "VCID-rnze-pnhe-abh4", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11073", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33161" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:01:51Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33161" }, { "reference_url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2", "reference_id": "GHSA-vgjg-248p-rfm2", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgjg-248p-rfm2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/190216?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "CVE-2026-33161", "GHSA-vgjg-248p-rfm2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rnze-pnhe-abh4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/327894?format=api", "vulnerability_id": "VCID-rrce-ncgp-qbcg", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14645", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32267" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T15:43:19Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32267" }, { "reference_url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf", "reference_id": "GHSA-cc7p-2j3x-x7xf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cc7p-2j3x-x7xf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/189604?format=api", "purl": "pkg:composer/craftcms/cms@5.9.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.12" } ], "aliases": [ "CVE-2026-32267", "GHSA-cc7p-2j3x-x7xf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rrce-ncgp-qbcg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22705?format=api", "vulnerability_id": "VCID-s9mh-xu8b-fqgf", "summary": "Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00722", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27127" }, { "reference_url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575" }, { "reference_url": "https://github.com/mogwailabs/DNSrebinder", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mogwailabs/DNSrebinder" }, { "reference_url": "https://github.com/nccgroup/singularity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nccgroup/singularity" }, { "reference_url": "https://github.com/taviso/rbndr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/taviso/rbndr" }, { "reference_url": "https://unit42.paloaltonetworks.com/dns-rebinding", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://unit42.paloaltonetworks.com/dns-rebinding" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127", "reference_id": "CVE-2026-27127", "reference_type": "", "scores": [ { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27127" }, { "reference_url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "reference_id": "GHSA-gp2f-7wcm-5fhx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72975?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27127", "GHSA-gp2f-7wcm-5fhx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s9mh-xu8b-fqgf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21971?format=api", "vulnerability_id": "VCID-t5h6-xvev-f3g7", "summary": "Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation\nThe Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.\n\nUsers should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:\n\nhttps://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0579", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68437" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04" }, { "reference_url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437", "reference_id": "CVE-2025-68437", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68437" }, { "reference_url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x27p-wfqw-hfcc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "reference_id": "GHSA-x27p-wfqw-hfcc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71963?format=api", "purl": "pkg:composer/craftcms/cms@5.8.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21" } ], "aliases": [ "CVE-2025-68437", "GHSA-x27p-wfqw-hfcc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t5h6-xvev-f3g7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/269696?format=api", "vulnerability_id": "VCID-tshq-ktbd-juak", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00128", "scoring_system": "epss", "scoring_elements": "0.31765", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52291" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:50:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52291" }, { "reference_url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q", "reference_id": "GHSA-jrh5-vhr9-qh7q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jrh5-vhr9-qh7q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/187870?format=api", "purl": "pkg:composer/craftcms/cms@5.4.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-n648-rgev-bydr" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-pjsn-x6mp-57c9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-wx6u-ss6p-3ue3" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.6" } ], "aliases": [ "CVE-2024-52291", "GHSA-jrh5-vhr9-qh7q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tshq-ktbd-juak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/332441?format=api", "vulnerability_id": "VCID-ttgr-49ur-z7aa", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16245", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41130" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/commit/ebe7e85f1c89700d64332f72492be2e9a594e783" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-22T14:18:44Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-95wr-3f2v-v2wh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41130" }, { "reference_url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh", "reference_id": "GHSA-95wr-3f2v-v2wh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95wr-3f2v-v2wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/188588?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41130", "GHSA-95wr-3f2v-v2wh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ttgr-49ur-z7aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22490?format=api", "vulnerability_id": "VCID-u3cv-q3ft-qkhj", "summary": "Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect\nThe `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05224", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25493" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493", "reference_id": "CVE-2026-25493", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25493" }, { "reference_url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jr8-7hr4-vhfx" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx", "reference_id": "GHSA-8jr8-7hr4-vhfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:39:50Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25493", "GHSA-8jr8-7hr4-vhfx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u3cv-q3ft-qkhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22706?format=api", "vulnerability_id": "VCID-ukq9-ggdc-byf5", "summary": "Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit\nA Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.\n\nTo make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.\n\nFor this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27128", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0063", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27128" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/" } ], "url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27128", "reference_id": "CVE-2026-27128", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27128" }, { "reference_url": "https://github.com/advisories/GHSA-6fx5-5cw5-4897", "reference_id": "GHSA-6fx5-5cw5-4897", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6fx5-5cw5-4897" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "reference_id": "GHSA-6fx5-5cw5-4897", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:13:24Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72975?format=api", "purl": "pkg:composer/craftcms/cms@5.8.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23" } ], "aliases": [ "CVE-2026-27128", "GHSA-6fx5-5cw5-4897" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ukq9-ggdc-byf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22481?format=api", "vulnerability_id": "VCID-uzyt-dujv-nqh6", "summary": "Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`\nThe `element-indexes/get-elements` endpoint is vulnerable to **SQL Injection** via the `criteria[orderBy]` parameter (JSON body). The application fails to sanitize this input before using it in the database query.\nAn attacker with **Control Panel access** can inject arbitrary SQL into the `ORDER BY` clause by omitting `viewState[order]` (or setting both to the same payload).\n\n> [!NOTE]\n> The `ORDER BY` clause executes per row. `SLEEP(1)` on 10 rows = 10s delay.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03273", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25495" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/commit/96c60d775c644ff0a0276da52fe29e11d4cd38d2" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/4.16.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/releases/tag/4.16.18" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495", "reference_id": "CVE-2026-25495", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25495" }, { "reference_url": "https://github.com/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2453-mppf-46cj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj", "reference_id": "GHSA-2453-mppf-46cj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-10T15:32:10Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25495", "GHSA-2453-mppf-46cj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uzyt-dujv-nqh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23040?format=api", "vulnerability_id": "VCID-vg28-8erb-27ae", "summary": "Craft CMS: Entries Authorship Spoofing via Mass Assignment\nThe entry creation process allows for **Mass Assignment** of the `authorId` attribute. A user with \"Create Entries\" permission can inject the `authorIds[]` (or `authorId`) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others.\n\nNormally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.16098", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28781" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8" }, { "reference_url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781", "reference_id": "CVE-2026-28781", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781" }, { "reference_url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2xfc-g69j-x2mp" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "reference_id": "GHSA-2xfc-g69j-x2mp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:36:36Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28781", "GHSA-2xfc-g69j-x2mp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vg28-8erb-27ae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23283?format=api", "vulnerability_id": "VCID-vknb-zmk9-z3cc", "summary": "CraftCMS has an RCE vulnerability via relational conditionals in the control panel\nA Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.\n\nThe `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input\nthrough `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.\n\nAny authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full\nRCE by sending a crafted condition rule via standard element listing endpoints.\n\nThis vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and\nbypasses all production hardening settings (allowAdminChanges: false, devMode: false,\nenableTwigSandbox: true).\n\nUsers should update to the patched 5.99 release to mitigate the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00138", "scoring_system": "epss", "scoring_elements": "0.33454", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31857" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857", "reference_id": "CVE-2026-31857", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857" }, { "reference_url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fp5j-j7j4-mcxc" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "reference_id": "GHSA-fp5j-j7j4-mcxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-12T14:02:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73593?format=api", "purl": "pkg:composer/craftcms/cms@5.9.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.9" } ], "aliases": [ "CVE-2026-31857", "GHSA-fp5j-j7j4-mcxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vknb-zmk9-z3cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22484?format=api", "vulnerability_id": "VCID-w35e-5gaq-y3aw", "summary": "Craft CMS Vulnerable to Stored XSS in Entry Types Name\nStored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list.\n\n---", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25491", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05882", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25491" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/commit/cfd6ba0e2ce1a59a02d75cae6558c4ace1ab8bd4" }, { "reference_url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491", "reference_id": "CVE-2026-25491", "reference_type": "", "scores": [ { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25491" }, { "reference_url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7pr4-wx9w-mqwr" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr", "reference_id": "GHSA-7pr4-wx9w-mqwr", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "1.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-10T15:30:22Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7pr4-wx9w-mqwr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72740?format=api", "purl": "pkg:composer/craftcms/cms@5.8.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-mytj-88ea-73d9" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22" } ], "aliases": [ "CVE-2026-25491", "GHSA-7pr4-wx9w-mqwr" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w35e-5gaq-y3aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/294186?format=api", "vulnerability_id": "VCID-w9cn-xgye-jber", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.92897", "scoring_system": "epss", "scoring_elements": "0.99778", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32432" }, { "reference_url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical" }, { "reference_url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32432" }, { "reference_url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py", "reference_id": "CVE-2025-32432", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g", "reference_id": "GHSA-4w8r-3xrw-v25g", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g" }, { "reference_url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3", "reference_id": "GHSA-f3gw-9ww9-jmc3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3gw-9ww9-jmc3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/193372?format=api", "purl": "pkg:composer/craftcms/cms@5.6.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zbrb-dmub-67as" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17" } ], "aliases": [ "CVE-2025-32432", "GHSA-f3gw-9ww9-jmc3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w9cn-xgye-jber" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/346941?format=api", "vulnerability_id": "VCID-whnf-tybt-qqbf", "summary": "Craft CMS: Authorized asset \"preview file\" requests bypass allows users without asset access to retrieve private preview metadata\n### Summary\n\nAn authenticated low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data (`previewHtml`) for that private asset.\n\nThe returned preview HTML included a private preview image route containing the target private `assetId`, even though `canView` was `false` for the attacker account.\n\n### Details\n\n1. `assets/preview-file` accepts a maliciously controlled `assetId` and renders preview output.\n2. The action does not enforce per-asset view authorization prior to returning preview content.\n 3. As a result, an authenticated user without asset-view permission can still obtain private preview output.\n\nThis affects Craft installations with authenticated users of mixed privilege levels with private assets.\n\n### Resources\n\n- d30df3112220db1ffd6726a3ed11857014c7fb27\n- b1cddf72c98a", "references": [ { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/b1cddf72c98a66801beb04ea4b07e72182b7b7db" }, { "reference_url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44px-qjjc-xrhq" }, { "reference_url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq", "reference_id": "GHSA-44px-qjjc-xrhq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-44px-qjjc-xrhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/190216?format=api", "purl": "pkg:composer/craftcms/cms@5.9.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.14" } ], "aliases": [ "GHSA-44px-qjjc-xrhq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-whnf-tybt-qqbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/269698?format=api", "vulnerability_id": "VCID-wj8y-tapy-p3f1", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.21994", "scoring_system": "epss", "scoring_elements": "0.95873", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-52293" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-11-13T18:54:41Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293" }, { "reference_url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv", "reference_id": "GHSA-f3cw-hg6r-chfv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f3cw-hg6r-chfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/187831?format=api", "purl": "pkg:composer/craftcms/cms@5.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-n648-rgev-bydr" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-pjsn-x6mp-57c9" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-tshq-ktbd-juak" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-wx6u-ss6p-3ue3" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.4.3" } ], "aliases": [ "CVE-2024-52293", "GHSA-f3cw-hg6r-chfv" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wj8y-tapy-p3f1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/271840?format=api", "vulnerability_id": "VCID-wx6u-ss6p-3ue3", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.93926", "scoring_system": "epss", "scoring_elements": "0.99886", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-56145" }, { "reference_url": "https://github.com/Chocapikk/CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Chocapikk/CVE-2024-56145" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Act", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56145" }, { "reference_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145" }, { "reference_url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9", "reference_id": "GHSA-2p6p-9rc9-62j9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2p6p-9rc9-62j9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/187514?format=api", "purl": "pkg:composer/craftcms/cms@5.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2re8-4twc-eqez" }, { "vulnerability": "VCID-33wy-gw8z-gud7" }, { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-4zfr-4pgf-zke4" }, { "vulnerability": "VCID-51qg-ehr3-3qeu" }, { "vulnerability": "VCID-5h4n-14xc-uuf6" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-6epu-syvm-d3ed" }, { "vulnerability": "VCID-76vz-cxx8-z7fc" }, { "vulnerability": "VCID-7b71-dsva-cfan" }, { "vulnerability": "VCID-ccwe-z8nr-3qhq" }, { "vulnerability": "VCID-ch5h-xzgt-6kgs" }, { "vulnerability": "VCID-efkn-13cf-97c3" }, { "vulnerability": "VCID-ejv9-c3hf-jfax" }, { "vulnerability": "VCID-g17s-3ghd-5fhm" }, { "vulnerability": "VCID-j9n2-1u2k-ckc5" }, { "vulnerability": "VCID-jxub-yja7-2qhf" }, { "vulnerability": "VCID-jy6d-5zfh-7ycp" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-m28c-yq43-a7cq" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-n648-rgev-bydr" }, { "vulnerability": "VCID-ntx4-ssgk-jqgh" }, { "vulnerability": "VCID-nyqy-y3dw-eyer" }, { "vulnerability": "VCID-pggs-g9c8-w7d1" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-s9mh-xu8b-fqgf" }, { "vulnerability": "VCID-t5h6-xvev-f3g7" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-u3cv-q3ft-qkhj" }, { "vulnerability": "VCID-ukq9-ggdc-byf5" }, { "vulnerability": "VCID-uzyt-dujv-nqh6" }, { "vulnerability": "VCID-vg28-8erb-27ae" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-w35e-5gaq-y3aw" }, { "vulnerability": "VCID-w9cn-xgye-jber" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zh94-u2by-xkg5" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2" } ], "aliases": [ "CVE-2024-56145", "GHSA-2p6p-9rc9-62j9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wx6u-ss6p-3ue3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/332440?format=api", "vulnerability_id": "VCID-xpq3-v9ts-x7es", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13023", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41129" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T17:52:52Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41129" }, { "reference_url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx", "reference_id": "GHSA-3m9m-24vh-39wx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m9m-24vh-39wx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/188588?format=api", "purl": "pkg:composer/craftcms/cms@5.9.15", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.15" } ], "aliases": [ "CVE-2026-41129", "GHSA-3m9m-24vh-39wx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpq3-v9ts-x7es" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/327889?format=api", "vulnerability_id": "VCID-xysn-pqxv-hyds", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12346", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32262" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-17T15:21:57Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32262" }, { "reference_url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2", "reference_id": "GHSA-472v-j2g4-g9h2", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-472v-j2g4-g9h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/189981?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32262", "GHSA-472v-j2g4-g9h2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xysn-pqxv-hyds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/327891?format=api", "vulnerability_id": "VCID-zebb-ngev-a7de", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15298", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32264" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70" }, { "reference_url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32264" }, { "reference_url": "https://github.com/advisories/GHSA-4484-8v2f-5748", "reference_id": "GHSA-4484-8v2f-5748", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4484-8v2f-5748" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "reference_id": "GHSA-7jx7-3846-m7w7", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-17T15:20:18Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/189981?format=api", "purl": "pkg:composer/craftcms/cms@5.9.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.11" } ], "aliases": [ "CVE-2026-32264", "GHSA-4484-8v2f-5748" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zebb-ngev-a7de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23011?format=api", "vulnerability_id": "VCID-zh94-u2by-xkg5", "summary": "Craft CMS has IDOR via GraphQL @parseRefs\nThe GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00024", "scoring_system": "epss", "scoring_elements": "0.0719", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28696" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696", "reference_id": "CVE-2026-28696", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696" }, { "reference_url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7x43-mpfg-r9wj" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj", "reference_id": "GHSA-7x43-mpfg-r9wj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:00:48Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72746?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" }, { "vulnerability": "VCID-zybg-fqev-eber" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1" } ], "aliases": [ "CVE-2026-28696", "GHSA-7x43-mpfg-r9wj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zh94-u2by-xkg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/23085?format=api", "vulnerability_id": "VCID-zybg-fqev-eber", "summary": "Craft CMS has unauthenticated activation email trigger with potential user enumeration\nThe `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.\n\nThe vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.\n\nCraft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why `send-activation-email` is in the `allowAnonymous` array - it’s intentional self-service functionality.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.1781", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29069" }, { "reference_url": "https://github.com/craftcms/cms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/craftcms/cms" }, { "reference_url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069", "reference_id": "CVE-2026-29069", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29069" }, { "reference_url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-234q-vvw3-mrfq" }, { "reference_url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq", "reference_id": "GHSA-234q-vvw3-mrfq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "7.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:30:03Z/" } ], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73229?format=api", "purl": "pkg:composer/craftcms/cms@5.9.0-beta.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3u81-kkt8-j7e7" }, { "vulnerability": "VCID-64xk-a8pc-bkey" }, { "vulnerability": "VCID-68jz-k8d5-u7dk" }, { "vulnerability": "VCID-785m-94zq-mqe8" }, { "vulnerability": "VCID-gxan-r3pw-7uhw" }, { "vulnerability": "VCID-kf34-utdc-cbay" }, { "vulnerability": "VCID-mfvj-g7bk-h3hw" }, { "vulnerability": "VCID-p4uy-hbad-k3c2" }, { "vulnerability": "VCID-q1jg-5qq3-zkbv" }, { "vulnerability": "VCID-rhm7-ju23-yuby" }, { "vulnerability": "VCID-rnze-pnhe-abh4" }, { "vulnerability": "VCID-rrce-ncgp-qbcg" }, { "vulnerability": "VCID-t4zv-mpqc-9fbx" }, { "vulnerability": "VCID-ttgr-49ur-z7aa" }, { "vulnerability": "VCID-vknb-zmk9-z3cc" }, { "vulnerability": "VCID-whnf-tybt-qqbf" }, { "vulnerability": "VCID-xpq3-v9ts-x7es" }, { "vulnerability": "VCID-xysn-pqxv-hyds" }, { "vulnerability": "VCID-zebb-ngev-a7de" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.2" } ], "aliases": [ "CVE-2026-29069", "GHSA-234q-vvw3-mrfq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zybg-fqev-eber" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.2.2" }