Craftcms Cms vulnerabilities
115 known vulnerabilities affecting craftcms/cms.
Total CVEs
115
CISA KEV
4
actively exploited
Public exploits
6
Exploited in wild
5
Severity breakdown
CRITICAL10HIGH38MEDIUM67
Vulnerabilities
Page 6 of 6
CVE-2026-56381P4MEDIUMCVSS 4.8≥ 5.0.0-RC1, < 5.8.222026-06-21
CVE-2026-56381 [MEDIUM] CWE-79 CVE-2026-56381: Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Pe
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
nvd
CVE-2023-33194P4MEDIUMCVSS 4.8v>= 4.0.0-RC1, < 4.4.6v>= 3.0.0, <= 3.8.52023-05-26
CVE-2023-33194 [MEDIUM] CWE-80 CVE-2023-33194: Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.
ghsanvdosv
CVE-2026-55794HIGHCVSS 8.7v>= 5.9.0, < 5.10.02026-07-02
CVE-2026-55794 [HIGH] CWE-94 CVE-2026-55794: Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control
Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled
nvd
CVE-2026-50279HIGHCVSS 7.6v>= 5.0.0-RC1, < 5.9.212026-07-02
CVE-2026-50279 [HIGH] CWE-285 CVE-2026-50279: Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, the
Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / autho
nvd
CVE-2026-55790HIGHCVSS 7.4v>= 5.0.0-RC1, < 5.9.23v>= 4.0.0-RC1, < 4.17.162026-07-01
CVE-2026-55790 [HIGH] CWE-79 CVE-2026-55790: Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 t
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the pay
nvd
CVE-2026-50284HIGHCVSS 7.1v=>= 5.0.0-RC1, < 5.9.22v>= 4.0.0-RC1, < 4.17.152026-07-01
CVE-2026-50284 [HIGH] CWE-862 CVE-2026-50284: Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 t
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and ev
nvd
CVE-2026-55791MEDIUMCVSS 6.9v>= 5.0.0-RC1, < 5.10.0v>= 4.0.0-RC1, < 4.18.02026-07-02
CVE-2026-55791 [MEDIUM] CWE-79 CVE-2026-55791: Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can
ghsanvd
CVE-2026-55792MEDIUMCVSS 6.0v>= 4.0.0-RC1, < 4.18.0v>= 5.0.0-RC1, < 5.10.02026-07-02
CVE-2026-55792 [MEDIUM] CWE-200 CVE-2026-55792: Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.1
Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email
nvd
CVE-2026-50280MEDIUMCVSS 6.0v>= 5.0.0-RC1, < 5.9.212026-07-02
CVE-2026-50280 [MEDIUM] CWE-284 CVE-2026-50280: Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privilege
nvd
CVE-2026-55793MEDIUMCVSS 5.9v>= 5.0.0-RC1, < 5.9.232026-07-01
CVE-2026-55793 [MEDIUM] CWE-79 CVE-2026-55793: Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-leve
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes
nvd
CVE-2026-50283MEDIUMCVSS 5.3v>= 5.0.0-RC1, < 5.9.21v>= 4.0.0-RC1, < 4.17.142026-07-01
CVE-2026-50283 [MEDIUM] CWE-639 CVE-2026-50283: Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 thr
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. AssetsController::actionReplaceFile() supports replacin
nvd
CVE-2021-41824HIGH≥ 3.4.0, < 3.7.142021-10-18
CVE-2021-41824 [HIGH] CWE-1236 CSV Injection Vulnerability
CSV Injection Vulnerability
### Impact
In some circumstances, it was possible to export data in CSV format that could trigger a payload in old versions of Excel.
If you are accepting user input from untrusted sources and will be exporting that data in CSV format from element index pages and there is a chance users will open that on old versions of Excel, then you should update.
### Patches
This has been patched in Craft 3.7.14.
### R
ghsaosv
CVE-2021-32470MEDIUM≥ 0, < 3.6.132022-03-18
CVE-2021-32470 [MEDIUM] CWE-79 Craft CMS Cross-site Scripting Vulnerability
Craft CMS Cross-site Scripting Vulnerability
Craft CMS before 3.6.13 has an XSS vulnerability.
ghsaosv
CVE-2017-8052MEDIUM≥ 0, < 2.6.29742022-05-17
CVE-2017-8052 [MEDIUM] CWE-79 Craft CMS XSS Vulnerability
Craft CMS XSS Vulnerability
Craft CMS before 2.6.2974 allows XSS attacks.
ghsaosv
CVE-2022-28378MEDIUM≥ 0, < 3.7.292022-04-04
CVE-2022-28378 [MEDIUM] CWE-79 Cross-site Scripting in craftcms/cms
Cross-site Scripting in craftcms/cms
Craft CMS before 3.7.29 allows cross-site scripting.
ghsaosv
← Previous6 / 6