cbcvebase.

Craftcms Cms vulnerabilities

107 known vulnerabilities affecting craftcms/cms.

Total CVEs
107
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL11HIGH34MEDIUM62

Vulnerabilities

Page 1 of 6
CVE-2024-56145P1CRITICALCVSS 9.8KEVPoCv>= 4.0.0-RC1, < 4.13.2v>= 5.0.0-RC1, < 5.5.2+1 more2024-12-18
CVE-2024-56145 [CRITICAL] CWE-94 CVE-2024-56145: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.
ghsanvdosv
CVE-2025-32432P1CRITICALKEVPoC≥ 3.0.0-RC1, < 3.9.15≥ 4.0.0-RC1, < 4.14.15+1 more2025-04-25
CVE-2025-32432 [CRITICAL] CWE-94 Craft CMS Allows Remote Code Execution Craft CMS Allows Remote Code Execution ### Impact This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g This is a high-impact, low-complexity attack vector. To mitigate the issue, users running Craft installations before the fixed versions are encouraged to update to at least that version. ### Details https://craftcms.com/knowledge-base/craft-cms-cve-2025-32432 ### Refere
ghsaosv
CVE-2025-23209P1HIGHCVSS 8.1KEVv>= 4.13.8, < 4.16.3v>= 5.5.8, < 5.8.42025-01-18
CVE-2025-23209 [HIGH] CWE-94 CVE-2025-23209: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability
ghsanvdosv
CVE-2025-35939P1MEDIUMCVSS 5.3KEVv>= 4.15.3, < 4.17.3v>= 5.7.5, < 5.9.72025-05-07
CVE-2025-35939 [MEDIUM] CWE-472 CVE-2025-35939: Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named
ghsanvdosv
CVE-2023-41892P1CRITICALCVSS 9.8ExploitedPoCv>= 3.0.0-RC1, < 3.9.15v>= 4.0.0-RC1, < 4.14.15+1 more2023-09-13
CVE-2023-41892 [CRITICAL] CWE-94 CVE-2023-41892: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity atta Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
ghsanvdosv
CVE-2024-37843P2CRITICALPoC≥ 0, ≤ 3.7.312024-06-25
CVE-2024-37843 [CRITICAL] CWE-89 Craft CMS SQL injection vulnerability via the GraphQL API endpoint Craft CMS SQL injection vulnerability via the GraphQL API endpoint Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
ghsaosv
CVE-2026-32267P2CRITICALCVSS 9.8v>= 4.0.0-RC1, < 4.17.6v>= 5.0.0-RC1, < 5.9.122026-03-16
CVE-2026-32267 [CRITICAL] CWE-863 CVE-2026-32267: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patch
ghsanvdosv
CVE-2025-68454P2HIGHCVSS 8.8v>= 5.0.0-RC1, < 5.8.21v>= 4.0.0-RC1, < 4.16.172026-01-05
CVE-2025-68454 [HIGH] CWE-1336 CVE-2025-68454: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recom
ghsanvdosv
CVE-2026-25495P2HIGHCVSS 8.8v>= 5.0.0-RC1, <= 5.9.82026-02-09
CVE-2026-25495 [HIGH] CWE-89 CVE-2026-25495: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Con
ghsanvdosv
CVE-2026-28697P2CRITICALCVSS 9.1v>= 5.0.0-RC1, < 5.9.0-beta.1v>= 4.0.0-RC1, < 4.17.0-beta.12026-03-04
CVE-2026-28697 [CRITICAL] CWE-1336 CVE-2026-28697: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticate Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PH
ghsanvdosv
CVE-2026-31857P2HIGHCVSS 8.8v>= 5.0.0-RC1, < 5.9.9v>= 4.0.0-beta.1, < 4.17.42026-03-11
CVE-2026-31857 [HIGH] CWE-94 CVE-2026-31857: Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulne Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any auth
ghsanvdosv
CVE-2026-25497P3HIGHCVSS 8.8v>= 5.0.0-RC1, < 5.8.22v>= 4.0.0-RC1, < 4.17.0-beta.12026-02-09
CVE-2026-25497 [HIGH] CWE-639 CVE-2026-25497: Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.1 Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other
ghsanvdosv
CVE-2025-54417P3HIGHCVSS 8.1≥ 4.13.8, < 4.16.3≥ 5.5.8, < 5.8.42025-08-08
CVE-2025-54417 [HIGH] CWE-94 Craft CMS has a theoretical bypass for CVE-2025-23209 Craft CMS has a theoretical bypass for CVE-2025-23209 **Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, manage to create an arbitrary file in Craft’s `/storage/backups` folder. With those two pieces in place, you could create a specific, malicious request to the `/updater/restore-db` endpoint to execute CLI commands rem
ghsaosv
CVE-2026-31858P3HIGH≥ 5.0.0-RC1, < 5.9.92026-03-11
CVE-2026-31858 [HIGH] CWE-89 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection CraftCMS's `ElementSearchController` Affected by Blind SQL Injection The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that was added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj). The exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory v
ghsaosv
CVE-2025-68456P3CRITICALCVSS 9.1v>= 5.0.0-RC1, < 5.8.21v>= 3.0.0, < 4.16.172026-01-05
CVE-2025-68456 [CRITICAL] CWE-202 CVE-2025-68456: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to miti
ghsanvdosv
CVE-2026-28783P3CRITICALCVSS 9.1v>= 5.0.0-RC1, <= 5.9.0-beta.1v>= 4.0.0-RC1, <= 4.17.0-beta.12026-03-04
CVE-2026-28783 [CRITICAL] CWE-94 CVE-2026-28783: Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS imple Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a co
ghsanvdosv
CVE-2024-21622P3HIGHCVSS 8.8v>= 4.0.0-RC1, < 4.5.11v>= 3.0.0, < 3.9.62024-01-03
CVE-2024-21622 [HIGH] CWE-269 CVE-2024-21622: Craft is a content management system. This is a potential moderate impact, low complexity privilege Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
ghsanvdosv
CVE-2022-29933P3HIGH≥ 0, < 3.7.362022-05-10
CVE-2022-29933 [HIGH] CWE-640 Improper account password reset in Craft CMS Improper account password reset in Craft CMS Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/users/send-password-reset-e
ghsaosv
CVE-2018-3814P3HIGH≥ 0, ≤ 2.6.30002022-05-13
CVE-2018-3814 [HIGH] CWE-434 Craft CMS PHP Code Injection Vulnerability Craft CMS PHP Code Injection Vulnerability Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
ghsaosv
CVE-2025-68455P3HIGHCVSS 7.2v>= 5.0.0-RC1, < 5.8.22v>= 4.0.0-RC1, < 4.16.182026-01-05
CVE-2025-68455 [HIGH] CWE-470 CVE-2025-68455: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched version
ghsanvdosv
Craftcms Cms vulnerabilities | cvebase