cbcvebase.
CVE-2026-41129
published 2026-04-22

CVE-2026-41129: Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side…

PriorityP432medium5.5CVSS 4.0
AVNACLATNPRHUINVCHVILVANSCNSINSANEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.27%
19.2th percentile
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create assets in the volume." Versions 4.17.9 and 5.9.15 patch the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.