cbcvebase.

Craftcms Cms vulnerabilities

107 known vulnerabilities affecting craftcms/cms.

Total CVEs
107
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL11HIGH34MEDIUM62

Vulnerabilities

Page 4 of 6
CVE-2023-36260P3HIGH≥ 0, < 4.6.22024-01-30
CVE-2023-36260 [HIGH] CWE-74 Craft CMS Feed-Me Craft CMS Feed-Me An issue discovered in Craft CMS version 4.6.1.1 allows remote attackers to cause a denial of service (DoS) via crafted string to Feed-Me Name and Feed-Me URL fields due to saving a feed using an Asset element type with no volume selected.
ghsaosv
CVE-2018-20465P3HIGH≥ 0, ≤ 3.0.342022-05-13
CVE-2018-20465 [HIGH] CWE-1336 Craft CMS Vulnerable to Server-Side Template Injection Craft CMS Vulnerable to Server-Side Template Injection Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a `{%` string for `craft.app.config.DB.user` and `craft.app.config.DB.password` in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
ghsaosv
CVE-2026-41129P4MEDIUMCVSS 5.5v>= 5.0.0-RC1, < 5.9.15v>= 4.0.0-RC1, < 4.17.92026-04-22
CVE-2026-41129 [MEDIUM] CWE-918 CVE-2026-41129: Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5. Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create assets in the volume." Versions 4.17.9 and 5.9.15 patc
nvd
CVE-2026-33160P4MEDIUMCVSS 5.3v>= 4.0.0-RC1, < 4.17.8v>= 5.0.0-RC1, < 5.9.142026-03-24
CVE-2026-33160 [MEDIUM] CWE-639 CVE-2026-33160: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-ass
ghsanvdosv
CVE-2026-29069P4MEDIUMCVSS 5.3v>= 5.0.0-RC1, < 5.9.0-beta.2v>= 4.0.0-RC1, < 4.17.0-beta.22026-03-04
CVE-2026-29069 [MEDIUM] CWE-639 CVE-2026-29069: Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendA Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID.
ghsanvdosv
CVE-2026-33051P4MEDIUMCVSS 5.4v>= 5.9.0-beta.1, < 5.9.112026-03-20
CVE-2026-33051 [MEDIUM] CWE-79 CVE-2026-33051: Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revisio Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS p
ghsanvdosv
CVE-2026-32262P4MEDIUMCVSS 4.3v>= 4.0.0-RC1, < 4.17.5v>= 5.0.0-RC1, < 5.9.112026-03-16
CVE-2026-32262 [MEDIUM] CWE-22 CVE-2026-32262: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenti
ghsanvdosv
CVE-2026-31859P4MEDIUMCVSS 6.9≥ 4.15.3, < 4.17.3≥ 5.7.5, < 5.9.72026-03-11
CVE-2026-31859 [MEDIUM] CWE-116 CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization ### Summary The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:a
ghsaosv
CVE-2023-33495P4MEDIUM≥ 0, ≤ 4.4.92023-06-20
CVE-2023-33495 [MEDIUM] CWE-79 Craft CMS vulnerable to HTML injection Craft CMS vulnerable to HTML injection Craft CMS through 4.4.9 is vulnerable to HTML Injection.
ghsaosv
CVE-2026-27128P4MEDIUMCVSS 4.8v>= 4.5.0-RC1, < 4.16.19v>= 5.0.0-RC1, < 5.8.232026-02-24
CVE-2026-27128 [MEDIUM] CWE-367 CVE-2026-27128: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then
ghsanvdosv
CVE-2023-33195P4MEDIUMCVSS 6.1v>= 4.3.0, <= 4.4.52023-05-27
CVE-2023-33195 [MEDIUM] CWE-79 CVE-2023-33195: Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
ghsanvdosv
CVE-2026-56385P4MEDIUMCVSS 4.3≥ 5.0.0-RC1, < 5.9.14≥ 4.0.0-RC1, < 4.17.82026-06-21
CVE-2026-56385 [MEDIUM] CWE-639 CVE-2026-56385: Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypa Craft CMS versions >= 5.0.0-RC1, = 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still rece
nvd
CVE-2023-31144P4MEDIUMCVSS 6.1v>= 3.0.0, < 3.8.4v>= 4.0.0, < 4.4.42023-05-09
CVE-2023-31144 [MEDIUM] CWE-79 CVE-2023-31144: Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.
ghsanvdosv
CVE-2023-23927P4MEDIUMCVSS 5.4fixed in 4.3.72023-03-03
CVE-2023-23927 [MEDIUM] CWE-79 CVE-2023-23927: Craft is a platform for creating digital experiences. When you insert a payload inside a label name Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
ghsanvdosv
CVE-2023-33197P4MEDIUMCVSS 5.4v>= 4.0.0-RC1, <= 4.4.52023-05-26
CVE-2023-33197 [MEDIUM] CWE-80 CVE-2023-33197: Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
ghsanvdosv
CVE-2023-2817P4MEDIUM≥ 4.0.0-RC1, < 4.4.122023-05-26
CVE-2023-2817 [MEDIUM] CWE-79 Stored cross site scripting in Craft CMS Stored cross site scripting in Craft CMS A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.
ghsaosv
CVE-2026-25496P4MEDIUMCVSS 4.8v>= 5.0.0-RC1, < 5.8.22v>= 4.0.0-RC1, < 4.16.182026-02-09
CVE-2026-25496 [MEDIUM] CWE-79 CVE-2026-25496: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is display
ghsanvdosv
CVE-2026-27126P4MEDIUMCVSS 4.8v>= 4.5.0-RC1, < 4.16.19v>= 5.0.0-RC1, < 5.8.232026-02-24
CVE-2026-27126 [MEDIUM] CWE-79 CVE-2026-27126: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another
ghsanvdosv
CVE-2026-56383P4MEDIUMCVSS 4.8≥ 4.5.0-beta.1, < 4.16.19≥ 5.0.0-RC1, < 5.8.232026-06-21
CVE-2026-56383 [MEDIUM] CWE-79 CVE-2026-56383: Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig compo Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes w
nvd
CVE-2026-28782P4MEDIUMCVSS 4.3v>= 5.0.0-RC1, < 5.9.0-beta.1v>= 4.0.0-RC1, < 4.17.0-beta.12026-03-04
CVE-2026-28782 [MEDIUM] CWE-639 CVE-2026-28782: Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restricti
ghsanvdosv
Craftcms Cms vulnerabilities | cvebase