CVE-2026-29113 — Cross-Site Request Forgery in Craft CMS

CWE-352 — Cross-Site Request Forgery CWE-287 — Improper Authentication5 documents5 sources

Severity

2.3LOWNVD

EPSS

0.0%

top 99.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 10

Description

Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content t…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms4.0.0-RC1 — 4.17.4+1

▶NVDcraftcms/craft_cms4.0.0 — 4.17.4+1

▶CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.3, >= 5.0.0-RC1, < 5.9.6+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Craft CMS has a potential information disclosure vulnerability in preview tokens↗2026-03-10

▶

OSV

Craft CMS has a potential information disclosure vulnerability in preview tokens↗2026-03-10

▶

CVEList

Craft has a potential information disclosure vulnerability in preview tokens↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29113 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶