cbcvebase.

Craftcms Cms vulnerabilities

115 known vulnerabilities affecting craftcms/cms.

Total CVEs
115
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH38MEDIUM67

Vulnerabilities

Page 5 of 6
CVE-2026-56384P4MEDIUMCVSS 4.3≥ 4.0.0-RC1, < 4.17.8≥ 5.0.0-RC1, < 5.9.142026-06-21
CVE-2026-56384 [MEDIUM] CWE-862 CVE-2026-56384: Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Con Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view perm
nvd
CVE-2026-29113P4MEDIUMCVSS 4.3v>= 4.0.0-RC1, < 4.17.3v>= 5.0.0-RC1, < 5.9.62026-03-10
CVE-2026-29113 [MEDIUM] CWE-352 CVE-2026-29113: Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a
ghsanvdosv
CVE-2017-8384P4MEDIUMCVSS 6.1≥ 0, < 2.6.29762022-05-17
CVE-2017-8384 [MEDIUM] CWE-79 Craft CMS XSS Vulnerability Craft CMS XSS Vulnerability Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
ghsaosv
CVE-2023-33196P4MEDIUMCVSS 5.4v>= 4.0.0-RC1, <= 4.4.62023-05-26
CVE-2023-33196 [MEDIUM] CWE-80 CVE-2023-33196: Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
ghsanvdosv
CVE-2021-27902P4MEDIUM≥ 0, < 3.6.02021-07-02
CVE-2021-27902 [MEDIUM] CWE-79 Craft CMS Cross-site Scripting Vulnerability Craft CMS Cross-site Scripting Vulnerability An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
ghsaosv
CVE-2019-12823P4MEDIUM≥ 0, < 3.1.312022-05-24
CVE-2019-12823 [MEDIUM] CWE-79 Craft CMS XSS Vulnerability Craft CMS XSS Vulnerability Craft CMS before 3.1.31 does not properly filter XML feeds, thus allowing XSS.
ghsaosv
CVE-2017-8383P4MEDIUM≥ 0, < 2.6.29762022-05-13
CVE-2017-8383 [MEDIUM] CWE-284 Craft CMS Unauthorized View Craft CMS Unauthorized View Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the `craft/app/` folder.
ghsaosv
CVE-2019-17496P4MEDIUM≥ 0, < 3.3.82022-05-24
CVE-2019-17496 [MEDIUM] CWE-79 Craft CMS XSS Vulnerability Craft CMS XSS Vulnerability Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
ghsaosv
CVE-2026-25491P4MEDIUMCVSS 4.8v>= 5.0.0-RC1, < 5.8.222026-02-09
CVE-2026-25491 [MEDIUM] CWE-79 CVE-2026-25491: Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored X Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
ghsanvdosv
CVE-2026-56393P4MEDIUMCVSS 4.8≥ 5.0.0-RC1, < 5.9.0-beta.1≥ 4.0.0-RC1, < 4.17.0-beta.12026-06-21
CVE-2026-56393 [MEDIUM] CWE-79 CVE-2026-56393: Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multipl Craft CMS 4.x (>= 4.0.0-RC1, = 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious p
nvd
CVE-2026-33161P4MEDIUMCVSS 4.3v>= 4.0.0-RC1, < 4.17.8v>= 5.0.0-RC1, < 5.9.142026-03-24
CVE-2026-33161 [MEDIUM] CWE-200 CVE-2026-33161: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private
ghsanvdosv
CVE-2023-30177P4MEDIUM≥ 0, < 3.7.682023-04-25
CVE-2023-30177 [MEDIUM] CWE-79 Cross Site Scripting in CraftCMS Cross Site Scripting in CraftCMS CraftCMS prior to version 3.7.68 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
ghsaosv
CVE-2022-37246P4MEDIUM≥ 4.0.0-RC1, < 4.2.1≥ 3.7.39, < 3.7.512022-09-22
CVE-2022-37246 [MEDIUM] CWE-79 Craft CMS Cross-site Scripting vulnerability Craft CMS Cross-site Scripting vulnerability Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line `label: elementInfo.label`.
ghsaosv
CVE-2020-19626P4MEDIUM≥ 0, < 3.1.332022-05-24
CVE-2020-19626 [MEDIUM] CWE-79 Craft CMS Cross-site Scripting Vulnerability Craft CMS Cross-site Scripting Vulnerability Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via `/admin/settings/sites/new`.
ghsaosv
CVE-2022-37250P4MEDIUM≥ 4.0.0-RC1, < 4.2.12022-09-17
CVE-2022-37250 [MEDIUM] CWE-79 Craft CMS Stored Cross-site Scripting in User Addresses Title Craft CMS Stored Cross-site Scripting in User Addresses Title Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in `/admin/myaccount`.
ghsaosv
CVE-2022-37248P4MEDIUM≥ 4.0.0-RC1, < 4.2.12022-09-17
CVE-2022-37248 [MEDIUM] CWE-79 Craft CMS Cross site Scripting vulnerability Craft CMS Cross site Scripting vulnerability Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via `src/helpers/Cp.php`.
ghsaosv
CVE-2022-37247P4MEDIUM≥ 4.0.0-RC1, < 4.2.12022-09-17
CVE-2022-37247 [MEDIUM] CWE-79 Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
ghsaosv
CVE-2022-37251P4MEDIUM≥ 3.7.0-beta.1, < 3.7.55.2≥ 4.0.0-RC1, < 4.2.12022-09-17
CVE-2022-37251 [MEDIUM] CWE-79 Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts Craft CMS `3.70-RC1`–`3.7.55.1` and `4.0.0-RC1`–`4.2.0.1` are vulnerable to Cross Site Scripting (XSS) via entry revisions and drafts. Versions `3.7.55.2` and `4.2.1` contain patches for this issue.
ghsaosv
CVE-2017-8385P4MEDIUM≥ 0, < 2.6.29762022-05-17
CVE-2017-8385 [MEDIUM] CWE-640 Craft CMS subject to URL forgery Craft CMS subject to URL forgery Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
ghsaosv
CVE-2024-45406P4MEDIUMCVSS 4.8v>= 5.0.0, < 5.1.22024-09-09
CVE-2024-45406 [MEDIUM] CWE-79 CVE-2024-45406: Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrum Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
ghsanvdosv
Craftcms Cms vulnerabilities | cvebase