Craftcms Cms vulnerabilities
107 known vulnerabilities affecting craftcms/cms.
Total CVEs
107
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL11HIGH34MEDIUM62
Vulnerabilities
Page 3 of 6
CVE-2024-41800P3HIGHCVSS 7.5v>= 5.0.0-beta.1, < 5.2.32024-07-25
CVE-2024-41800 [HIGH] CWE-287 CVE-2024-41800: Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times w
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.
ghsanvdosv
CVE-2026-44010P3HIGHCVSS 7.1v>= 5.0.0, < 5.9.18v>= 4.0.0, < 4.17.122026-05-12
CVE-2026-44010 [HIGH] CWE-862 CVE-2026-44010: Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belongi
ghsanvd
CVE-2024-52292P3MEDIUMCVSS 6.5v>= 5.0.0-alpha.1, < 5.4.9v>= 3.5.13, < 4.12.82024-11-13
CVE-2024-52292 [MEDIUM] CWE-22 CVE-2024-52292: Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has
Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can
ghsanvdosv
CVE-2026-27127P3MEDIUMCVSS 5.0≥ 5.0.0-RC1, < 5.8.23≥ 3.5.0, < 4.16.192026-02-23
CVE-2026-27127 [MEDIUM] CWE-367 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
## Summary
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.
ghsaosv
CVE-2026-33158P3MEDIUMCVSS 6.5v>= 4.0.0-RC1, < 4.17.8v>= 5.0.0-RC1, < 5.9.142026-03-24
CVE-2026-33158 [MEDIUM] CWE-639 CVE-2026-33158: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a prev
ghsanvdosv
CVE-2026-56394P3MEDIUMCVSS 6.5≥ 4.0.0-RC1, < 4.17.7≥ 5.0.0-RC1, < 5.9.132026-06-21
CVE-2026-56394 [MEDIUM] CWE-22 CVE-2026-56394: Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon e
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
nvd
CVE-2026-27129P3MEDIUMCVSS 5.0≥ 5.0.0-RC1, < 5.8.23≥ 3.5.0, < 4.16.192026-02-24
CVE-2026-27129 [MEDIUM] CWE-918 Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.
This is a bypass of the s
ghsaosv
CVE-2025-68437P3MEDIUMCVSS 6.8v>= 4.5.0-RC1, < 4.16.19v>= 5.0.0-RC1, < 5.8.232026-01-05
CVE-2025-68437 [MEDIUM] CWE-918 CVE-2025-68437: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbi
ghsanvdosv
CVE-2026-25492P3MEDIUMCVSS 6.5v>= 5.0.0-RC1, < 5.8.22v>= 3.5.0, < 4.16.182026-02-09
CVE-2026-25492 [MEDIUM] CWE-918 CVE-2026-25492: Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 thro
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstr
nvd
CVE-2026-25494P3MEDIUMCVSS 6.5v>= 5.0.0-RC1, < 5.8.222026-02-09
CVE-2026-25494 [MEDIUM] CWE-918 CVE-2026-25494: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 a
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers
ghsanvdosv
CVE-2019-15929P3CRITICAL≥ 0, < 3.1.72022-05-24
CVE-2019-15929 [CRITICAL] CWE-640 Craft CMS possibility of brute force attempts
Craft CMS possibility of brute force attempts
In Craft CMS before 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
ghsaosv
CVE-2026-25493P3MEDIUMCVSS 6.5v>= 5.0.0-RC1, < 5.8.22v>= 4.0.0-RC1, < 4.16.182026-02-09
CVE-2026-25493 [MEDIUM] CWE-918 CVE-2026-25493: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that poi
ghsanvdosv
CVE-2026-28781P3MEDIUMCVSS 6.5v>= 5.0.0-RC1, < 5.9.0-beta.1v>= 4.0.0-RC1, < 4.17.0-beta.12026-03-04
CVE-2026-28781 [MEDIUM] CWE-639 CVE-2026-28781: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creat
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is au
ghsanvdosv
CVE-2026-33159P3MEDIUMCVSS 6.5v>= 4.0.0-RC1, < 4.17.8v>= 5.0.0-RC1, < 5.9.142026-03-24
CVE-2026-33159 [MEDIUM] CWE-306 CVE-2026-33159: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patc
ghsanvdosv
CVE-2026-33162P3MEDIUMCVSS 6.5v>= 5.3.0, < 5.9.142026-03-24
CVE-2026-33162 [MEDIUM] CWE-285 CVE-2026-33162: Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an auth
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been pa
ghsanvdosv
CVE-2025-68436P3MEDIUMCVSS 6.5v>= 5.0.0-RC1, < 5.8.21v>= 4.0.0-RC1, < 4.16.172026-01-05
CVE-2025-68436 [MEDIUM] CWE-200 CVE-2025-68436: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the
ghsanvdosv
CVE-2022-37783P3HIGH≥ 3.0.0, < 3.7.332022-12-05
CVE-2022-37783 [HIGH] CWE-200 Craft CMS discloses password hashes
Craft CMS discloses password hashes
All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password hash in without encoding it whereas the corres
ghsaosv
CVE-2026-44012P3HIGHCVSS 7.1v>= 5.0.0-RC1, < 5.9.182026-05-12
CVE-2026-44012 [HIGH] CWE-862 CVE-2026-44012: Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::a
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewP
ghsanvd
CVE-2026-41130P3MEDIUMCVSS 5.5v>= 5.0.0-RC1, < 5.9.15v>= 4.0.0-RC1, < 4.17.92026-04-22
CVE-2026-41130 [MEDIUM] CWE-918 CVE-2026-41130: Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources.
When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-suppl
nvd
CVE-2026-41128P3MEDIUMCVSS 5.3v>= 5.6.0, < 5.9.152026-04-22
CVE-2026-41128 [MEDIUM] CWE-862 CVE-2026-41128: Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePer
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, s
nvd