Search for packages
| purl | pkg:composer/craftcms/cms@3.6.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3r9x-ax4j-3yha
Aliases: CVE-2022-28378 GHSA-7xj5-fwqr-5378 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS before 3.7.29 allows XSS. |
Affected by 23 other vulnerabilities. |
|
VCID-41y2-tucq-ykaj
Aliases: CVE-2023-23927 GHSA-qcrj-6ffc-v7hq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. |
Affected by 20 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-5mnd-qvaq-k3am
Aliases: CVE-2025-68456 GHSA-v64r-7wg9-23pr |
Unauthenticated Craft CMS users can trigger a database backup Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
Affected by 35 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-5pur-jy1x-gfhv
Aliases: CVE-2023-33197 GHSA-6qjx-787v-6pxr |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. |
Affected by 52 other vulnerabilities. |
|
VCID-6hcd-ayyh-3fdb
Aliases: CVE-2023-31144 GHSA-j4mx-98hw-6rv6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 16 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-8pjj-w8h7-p7ga
Aliases: CVE-2022-29933 GHSA-5cjr-78cq-3wrg |
Weak Password Recovery Mechanism for Forgotten Password Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-email URI. NOTE: the vendor's position is that a customer can already work around this by adjusting the configuration (i.e., by not using the default configuration). |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-aajd-9qsf-37cr
Aliases: CVE-2023-33495 GHSA-m3v5-gjj9-rg24 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft CMS through 4.4.9 is vulnerable to HTML Injection. |
Affected by 50 other vulnerabilities. |
|
VCID-c2nk-y4rx-1qf4
Aliases: CVE-2024-56145 GHSA-2p6p-9rc9-62j9 |
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled You are affected if your php.ini configuration has `register_argc_argv` enabled. |
Affected by 6 other vulnerabilities. Affected by 44 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-c9mw-1at1-ebaz
Aliases: CVE-2021-41824 GHSA-h7vq-5qgw-jwwq |
Improper Neutralization of Formula Elements in a CSV File Craft CMS allows CSV injection. |
Affected by 25 other vulnerabilities. |
|
VCID-chep-xthg-zuee
Aliases: CVE-2024-52292 GHSA-cw6g-qmjq-6w2w |
Craft CMS Arbitrary System File Read By abusing the mail notification template it is possible to read arbitrary operating system files. |
Affected by 45 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-cwm6-qf1f-2keb
Aliases: CVE-2024-37843 GHSA-hq4f-mv3q-8wcv |
Craft CMS SQL injection vulnerability via the GraphQL API endpoint Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. |
Affected by 22 other vulnerabilities. |
|
VCID-dz26-b2ts-puep
Aliases: CVE-2023-36260 GHSA-6p78-f7h9-6838 |
Craft CMS Feed-Me An issue discovered in Craft CMS version 4.6.1. allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected. |
Affected by 0 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-ec34-nvn3-qbcb
Aliases: CVE-2023-40035 GHSA-44wr-rmwq-3phw |
Craft CMS vulnerable to Remote Code Execution via validatePath bypass Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true) |
Affected by 10 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-eecq-8t4y-kka3
Aliases: CVE-2022-37783 GHSA-h972-v458-m892 |
Craft CMS discloses password hashes All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corresponding HTML hidden field discloses the users' password hash in a masked manner, which can be decoded by using public functions of the YII framework. |
Affected by 20 other vulnerabilities. |
|
VCID-fpea-e48p-kfbn
Aliases: CVE-2026-27127 GHSA-gp2f-7wcm-5fhx |
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints. |
Affected by 25 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-hkp9-3hzv-quhk
Aliases: CVE-2026-27129 GHSA-v2gc-rm6g-wrw9 |
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)). |
Affected by 25 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-hm7h-7cu3-8be1
Aliases: CVE-2023-33194 GHSA-3wxg-w96j-8hq9 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Craft is a CMS for creating custom digital experiences on the web. The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. |
Affected by 15 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-jhen-vhqx-n7dr
Aliases: CVE-2024-21622 GHSA-j5g9-j7r4-6qvx |
Improper Privilege Management Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. |
Affected by 9 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-jxet-d8ux-mkge
Aliases: CVE-2025-35939 GHSA-7vrx-9684-xrf2 |
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. |
Affected by 42 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-n1z8-7a8m-rfcc
Aliases: CVE-2021-27903 GHSA-x2j7-6hxm-87p3 |
Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session). |
Affected by 27 other vulnerabilities. |
|
VCID-nz6e-26rc-f3fa
Aliases: CVE-2021-32470 GHSA-h2rj-8wgg-mm43 |
Cross-site Scripting Craft CMS has an XSS vulnerability. |
Affected by 26 other vulnerabilities. |
|
VCID-qcwp-su57-9fa1
Aliases: CVE-2023-30179 GHSA-3x74-v64j-qc3f |
Improper Control of Generation of Code ('Code Injection') CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. |
Affected by 57 other vulnerabilities. |
|
VCID-qq68-3j4y-47am
Aliases: CVE-2025-32432 GHSA-f3gw-9ww9-jmc3 |
Craft CMS Allows Remote Code Execution This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version. |
Affected by 5 other vulnerabilities. Affected by 42 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-rb7c-3nkc-gkeg
Aliases: CVE-2025-68437 GHSA-x27p-wfqw-hfcc |
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.References: https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md |
Affected by 35 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-s5v6-e631-17f5
Aliases: CVE-2023-30130 GHSA-fjx5-xm7q-whvj |
CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
Affected by 17 other vulnerabilities. |
|
VCID-u4t8-gkkb-73bv
Aliases: GHSA-wf98-vxv9-jqfv GMS-2022-790 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms/cms. |
Affected by 23 other vulnerabilities. |
|
VCID-vbz3-3rqd-3fh6
Aliases: CVE-2023-30177 GHSA-wv7j-rc2q-9j67 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. |
Affected by 18 other vulnerabilities. |
|
VCID-ymw8-mvrz-e7bc
Aliases: CVE-2023-2817 GHSA-7x94-jx75-3gh6 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. |
Affected by 49 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||