Craftcms Cms vulnerabilities

CVE-2026-33157 [HIGH] CWE-470 CVE-2026-33157: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remot Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various Field

CVE-2026-33162 [MEDIUM] CWE-285 CVE-2026-33162: Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an auth Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been pa

CVE-2026-33158 [MEDIUM] CWE-639 CVE-2026-33158: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a prev

CVE-2026-33159 [MEDIUM] CWE-306 CVE-2026-33159: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patc

CVE-2026-33160 [LOW] CWE-639 CVE-2026-33160: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset

CVE-2026-33161 [LOW] CWE-200 CVE-2026-33161: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private ed

CVE-2026-33051 [MEDIUM] CWE-79 CVE-2026-33051: Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revisio Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS p

CVE-2026-32267 [HIGH] CWE-863 CVE-2026-32267: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched i

CVE-2026-32264 [HIGH] CWE-470 CVE-2026-32264: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This

CVE-2026-32263 [HIGH] CWE-470 CVE-2026-32263: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/ Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vect

CVE-2026-32262 [MEDIUM] CWE-22 CVE-2026-32262: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenti

CVE-2026-31858 [HIGH] CWE-89 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection CraftCMS's `ElementSearchController` Affected by Blind SQL Injection Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the

CVE-2026-31857 [HIGH] CWE-94 CVE-2026-31857: Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulne Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any auth

CVE-2026-31859 [MEDIUM] CWE-79 Craft has Reflective XSS via incomplete return URL sanitization Craft has Reflective XSS via incomplete return URL sanitization Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(

CVE-2026-29113 [LOW] CWE-352 CVE-2026-29113: Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a pr

CVE-2026-28783 [CRITICAL] CWE-94 CVE-2026-28783: Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS imple Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a co

CVE-2026-28697 [CRITICAL] CWE-1336 CVE-2026-28697: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticate Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PH

CVE-2026-28784 [HIGH] CWE-1336 CVE-2026-28784: Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a m Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craf

CVE-2026-28781 [HIGH] CWE-639 CVE-2026-28781: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creat Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is auth

CVE-2026-28696 [HIGH] CWE-639 CVE-2026-28696: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL dir Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The imple