cbcvebase.

Craftcms Cms vulnerabilities

107 known vulnerabilities affecting craftcms/cms.

Total CVEs
107
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL11HIGH34MEDIUM62

Vulnerabilities

Page 2 of 6
CVE-2026-44011P3HIGHCVSS 8.6v>= 4.0.0, < 4.17.12v>= 5.0.0, < 5.9.182026-05-12
CVE-2026-44011 [HIGH] CWE-479 CVE-2026-44011: Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS w Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live
ghsanvd
CVE-2021-27903P3CRITICAL≥ 0, < 3.6.72021-07-02
CVE-2021-27903 [CRITICAL] CWE-74 Craft CMS Remote Code Injection Craft CMS Remote Code Injection An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).
ghsaosv
CVE-2017-9516P4MEDIUMPoC≥ 0, < 2.6.29822022-05-17
CVE-2017-9516 [MEDIUM] CWE-79 Craft CMS XSS Vulnerability Craft CMS XSS Vulnerability Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
ghsaosv
CVE-2026-33157P3HIGHCVSS 7.2v>= 5.6.0, < 5.9.132026-03-24
CVE-2026-33157 [HIGH] CWE-470 CVE-2026-33157: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remot Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various Field
ghsanvdosv
CVE-2023-32679P3HIGHCVSS 7.2v>= 4.0.0, < 4.4.62023-05-19
CVE-2023-32679 [HIGH] CWE-74 CVE-2023-32679: Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestri Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly withou
ghsanvdosv
CVE-2025-46731P3HIGHCVSS 7.2v>= 4.0.0-RC1, < 4.14.13v>= 5.0.0-RC1, < 5.6.152025-05-05
CVE-2025-46731 [HIGH] CWE-1336 CVE-2025-46731: Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and o Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13
ghsanvdosv
CVE-2025-57811P3HIGHCVSS 7.2v>= 5.8.7, < 5.9.0-beta.1v>= 4.0.0-RC1, < 4.17.0-beta.12025-08-25
CVE-2025-57811 [HIGH] CWE-1336 CVE-2025-57811: Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
ghsanvdosv
CVE-2026-25498P3HIGH≥ 5.0.0-RC1, < 5.8.22≥ 4.0.0-RC1, < 4.16.182026-02-09
CVE-2026-25498 [HIGH] CWE-470 Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior ## Relationship to Previously Patched Vulnerability This vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vuln
ghsaosv
CVE-2026-28784P3HIGHCVSS 7.2v>= 5.0.0-RC1, < 5.9.0-beta.1v>= 4.0.0-RC1, < 4.17.0-beta.12026-03-04
CVE-2026-28784 [HIGH] CWE-1336 CVE-2026-28784: Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a m Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craf
ghsanvdosv
CVE-2023-40035P3HIGHCVSS 7.2v>= 4.0.0-RC1, < 4.12.2v>= 5.0.0-RC1, < 5.4.32023-08-23
CVE-2023-40035 [HIGH] CWE-74 CVE-2023-40035: Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validate Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_
ghsanvdosv
CVE-2026-32264P3HIGHCVSS 7.2v>= 4.0.0-RC1, < 4.17.5v>= 5.0.0-RC1, < 5.9.112026-03-16
CVE-2026-32264 [HIGH] CWE-470 CVE-2026-32264: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This
ghsanvdosv
CVE-2026-56382P3HIGHCVSS 7.2≥ 5.5.0, < 5.9.142026-06-21
CVE-2026-56382 [HIGH] CWE-94 CVE-2026-56382: Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code exec Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 ev
nvd
CVE-2026-28695P3MEDIUMCVSS 6.1≥ 5.8.7, < 5.9.0-beta.1≥ 4.0.0-RC1, < 4.17.0-beta.12026-03-03
CVE-2026-28695 [MEDIUM] CWE-1336 Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). ## Required Permi
ghsaosv
CVE-2024-52293P3HIGHCVSS 7.2v>= 4.0.0-RC1, < 4.16.6v>= 5.0.0-RC1, < 5.8.72024-11-13
CVE-2024-52293 [HIGH] CWE-22 CVE-2024-52293: Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePat Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
ghsanvdosv
CVE-2026-28696P3HIGHCVSS 7.5v>= 4.0.0-RC1, < 4.17.0-beta.1v>= 5.0.0-RC1, < 5.9.0-beta.12026-03-04
CVE-2026-28696 [HIGH] CWE-639 CVE-2026-28696: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL dir Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The imple
ghsanvdosv
CVE-2023-30130P3HIGH≥ 0, ≤ 3.8.12023-05-12
CVE-2023-30130 [HIGH] CWE-94 CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
ghsaosv
CVE-2026-32263P3HIGHCVSS 7.2v>= 5.6.0, < 5.9.112026-03-16
CVE-2026-32263 [HIGH] CWE-470 CVE-2026-32263: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/ Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vect
ghsanvdosv
CVE-2018-20418P4MEDIUMPoC≥ 0, ≤ 3.0.252022-05-14
CVE-2018-20418 [MEDIUM] CWE-79 Craft CMS Cross-site Scripting (XSS) Vulnerability Craft CMS Cross-site Scripting (XSS) Vulnerability `index.php?p=admin/actions/entries/save-entry` in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
ghsaosv
CVE-2023-30179P3HIGH≥ 0, < 4.4.22023-06-13
CVE-2023-30179 [HIGH] CWE-94 Withdrawn Advisory: CraftCMS Server-Side Template Injection vulnerability Withdrawn Advisory: CraftCMS Server-Side Template Injection vulnerability ## Withdrawn This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references. [According to maintainers of Craft CMS](https://github.com/github/advisory-database/pull/2443#issuecomment-1610634200), only adminis
ghsa
CVE-2024-52291P3HIGHCVSS 7.2v>= 5.0.0-RC1, < 5.4.6v>= 4.0.0-RC1, < 4.12.52024-11-13
CVE-2024-52291 [HIGH] CWE-22 CVE-2024-52291: Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access t
ghsanvdosv
Craftcms Cms vulnerabilities | cvebase