{"url":"http://public2.vulnerablecode.io/api/packages/83574?format=json","purl":"pkg:composer/craftcms/cms@3.9.14","type":"composer","namespace":"craftcms","name":"cms","version":"3.9.14","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.17.12","latest_non_vulnerable_version":"5.9.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49586?format=json","vulnerability_id":"VCID-5mnd-qvaq-k3am","summary":"Unauthenticated Craft CMS users can trigger a database backup\nUnauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:\n\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456","reference_id":"","reference_type":"","scores":[{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.4399","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68456"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456","reference_id":"CVE-2025-68456","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68456"},{"reference_url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v64r-7wg9-23pr"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr","reference_id":"GHSA-v64r-7wg9-23pr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:26:08Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73170?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68456","GHSA-v64r-7wg9-23pr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5mnd-qvaq-k3am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50298?format=json","vulnerability_id":"VCID-fpea-e48p-kfbn","summary":"Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00719","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27127"},{"reference_url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://curl.se/libcurl/c/CURLOPT_RESOLVE.html"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575"},{"reference_url":"https://github.com/mogwailabs/DNSrebinder","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mogwailabs/DNSrebinder"},{"reference_url":"https://github.com/nccgroup/singularity","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nccgroup/singularity"},{"reference_url":"https://github.com/taviso/rbndr","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/taviso/rbndr"},{"reference_url":"https://unit42.paloaltonetworks.com/dns-rebinding","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://unit42.paloaltonetworks.com/dns-rebinding"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127","reference_id":"CVE-2026-27127","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27127"},{"reference_url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx","reference_id":"GHSA-gp2f-7wcm-5fhx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-28T02:12:07Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74189?format=json","purl":"pkg:composer/craftcms/cms@4.16.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19"},{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27127","GHSA-gp2f-7wcm-5fhx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fpea-e48p-kfbn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50333?format=json","vulnerability_id":"VCID-hkp9-3hzv-quhk","summary":"Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129","reference_id":"","reference_type":"","scores":[{"value":"0.00011","scoring_system":"epss","scoring_elements":"0.01541","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27129"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129","reference_id":"CVE-2026-27129","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129"},{"reference_url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9","reference_id":"GHSA-v2gc-rm6g-wrw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-28T02:16:52Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74189?format=json","purl":"pkg:composer/craftcms/cms@4.16.19","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.19"},{"url":"http://public2.vulnerablecode.io/api/packages/74188?format=json","purl":"pkg:composer/craftcms/cms@5.8.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.23"}],"aliases":["CVE-2026-27129","GHSA-v2gc-rm6g-wrw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hkp9-3hzv-quhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57273?format=json","vulnerability_id":"VCID-jxet-d8ux-mkge","summary":"Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"0.33065","scoring_system":"epss","scoring_elements":"0.96993","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-35939"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/commit/e4c7bac8f31010aee048409f9ef6f744a83146b2"},{"reference_url":"https://github.com/craftcms/cms/pull/17220","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/pull/17220"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/4.15.3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/4.15.3"},{"reference_url":"https://github.com/craftcms/cms/releases/tag/5.7.5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://github.com/craftcms/cms/releases/tag/5.7.5"},{"reference_url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"}],"url":"https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2025-35939","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-06-06T03:55:25Z/"},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:P/P:M/B:A/M:M/D:A/2025-05-07T22:40:17Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2025-35939"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939","reference_id":"CVE-2025-35939","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:H"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-35939"},{"reference_url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2","reference_id":"GHSA-7vrx-9684-xrf2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7vrx-9684-xrf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74788?format=json","purl":"pkg:composer/craftcms/cms@4.15.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.15.3"},{"url":"http://public2.vulnerablecode.io/api/packages/74789?format=json","purl":"pkg:composer/craftcms/cms@5.7.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.7.5"}],"aliases":["CVE-2025-35939","GHSA-7vrx-9684-xrf2"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jxet-d8ux-mkge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57189?format=json","vulnerability_id":"VCID-qq68-3j4y-47am","summary":"Craft CMS Allows Remote Code Execution\nThis is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g\n\nThis is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"0.93094","scoring_system":"epss","scoring_elements":"0.99798","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32432"},{"reference_url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"},{"reference_url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"},{"reference_url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py","reference_id":"CVE-2025-32432","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52525.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432","reference_id":"CVE-2025-32432","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g","reference_id":"GHSA-4w8r-3xrw-v25g","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g"},{"reference_url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f3gw-9ww9-jmc3"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3","reference_id":"GHSA-f3gw-9ww9-jmc3","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2026-03-20T15:24:23Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84933?format=json","purl":"pkg:composer/craftcms/cms@3.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.15"},{"url":"http://public2.vulnerablecode.io/api/packages/84934?format=json","purl":"pkg:composer/craftcms/cms@4.14.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.14.15"},{"url":"http://public2.vulnerablecode.io/api/packages/84935?format=json","purl":"pkg:composer/craftcms/cms@5.6.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dbcz-erbe-u7dt"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.6.17"}],"aliases":["CVE-2025-32432","GHSA-f3gw-9ww9-jmc3"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq68-3j4y-47am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49561?format=json","vulnerability_id":"VCID-rb7c-3nkc-gkeg","summary":"Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation\nThe Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume.\n\nUsers should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References:\n\nhttps://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03989","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68437"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"},{"reference_url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437","reference_id":"CVE-2025-68437","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68437"},{"reference_url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x27p-wfqw-hfcc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc","reference_id":"GHSA-x27p-wfqw-hfcc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"5.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-06T14:27:06Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73170?format=json","purl":"pkg:composer/craftcms/cms@4.16.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.17"},{"url":"http://public2.vulnerablecode.io/api/packages/73169?format=json","purl":"pkg:composer/craftcms/cms@5.8.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-5tzm-738x-xka9"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-a8p2-5cmc-n7g2"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-bqep-3c6u-mqhu"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-p3n8-1sht-bfbt"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.21"}],"aliases":["CVE-2025-68437","GHSA-x27p-wfqw-hfcc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rb7c-3nkc-gkeg"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56366?format=json","vulnerability_id":"VCID-c2nk-y4rx-1qf4","summary":"Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled\nYou are affected if your php.ini configuration has `register_argc_argv` enabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"0.93926","scoring_system":"epss","scoring_elements":"0.99888","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56145"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145"},{"reference_url":"https://github.com/Chocapikk/CVE-2024-56145","reference_id":"CVE-2024-56145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Chocapikk/CVE-2024-56145"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145","reference_id":"CVE-2024-56145","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56145"},{"reference_url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2p6p-9rc9-62j9"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9","reference_id":"GHSA-2p6p-9rc9-62j9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Act","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83574?format=json","purl":"pkg:composer/craftcms/cms@3.9.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.14"},{"url":"http://public2.vulnerablecode.io/api/packages/83573?format=json","purl":"pkg:composer/craftcms/cms@4.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.13.2"},{"url":"http://public2.vulnerablecode.io/api/packages/83572?format=json","purl":"pkg:composer/craftcms/cms@5.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-41uv-1axm-fugb"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-83rt-3tyj-qbgx"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9ca4-tbhq-27ad"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-asek-4gme-gug8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-e94m-mj1k-8kbr"},{"vulnerability":"VCID-eaxm-rjr7-xudb"},{"vulnerability":"VCID-efwv-r3nc-73h9"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-fpke-p7sz-nfc9"},{"vulnerability":"VCID-gzry-xtu5-ukhu"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jnrx-e9b5-wqew"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxet-d8ux-mkge"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-nmzu-mefv-tqeh"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-rzq4-h1ms-nqef"},{"vulnerability":"VCID-sa99-8awj-eycd"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-tzjk-x116-ayge"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.5.2"}],"aliases":["CVE-2024-56145","GHSA-2p6p-9rc9-62j9"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c2nk-y4rx-1qf4"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@3.9.14"}