cbcvebase.

Craftcms Craft Cms vulnerabilities

93 known vulnerabilities affecting craftcms/craft_cms.

Total CVEs
93
CISA KEV
4
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL11HIGH30MEDIUM52

Vulnerabilities

Page 1 of 5
CVE-2025-32432P1CRITICALCVSS 10.0KEVPoC≥ 3.0.0, < 3.9.15≥ 4.0.0, < 4.14.15+1 more2025-04-25
CVE-2025-32432 [CRITICAL] CVE-2025-32432: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.1
nvd
CVE-2024-56145P1CRITICALCVSS 9.8KEVPoC≥ 3.0.0, < 3.9.14≥ 4.0.0, < 4.13.2+1 more2024-12-18
CVE-2024-56145 [CRITICAL] CWE-94 CVE-2024-56145: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.
nvd
CVE-2025-23209P1HIGHCVSS 8.1KEVfixed in 4.13.8fixed in 5.5.8+2 more2025-01-18
CVE-2025-23209 [HIGH] CWE-94 CVE-2025-23209: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability
nvd
CVE-2025-35939P1MEDIUMCVSS 5.3KEVfixed in 4.15.3≥ 5.0.0, < 5.7.52025-05-07
CVE-2025-35939 [MEDIUM] CWE-472 CVE-2025-35939: Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named
nvd
CVE-2023-41892P1CRITICALCVSS 9.8ExploitedPoC≥ 4.4.0, < 4.4.152023-09-13
CVE-2023-41892 [CRITICAL] CWE-94 CVE-2023-41892: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity atta Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
nvd
CVE-2020-9757P1CRITICALCVSS 9.8ExploitedPoCfixed in 3.3.02020-03-04
CVE-2020-9757 [CRITICAL] CWE-74 CVE-2020-9757: The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads t The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
nvd
CVE-2024-37843P2CRITICALCVSS 9.8PoCfixed in 3.7.312024-06-25
CVE-2024-37843 [CRITICAL] CWE-89 CVE-2024-37843: Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
nvd
CVE-2026-32267P2CRITICALCVSS 9.8≥ 4.0.0.1, < 4.17.6≥ 5.0.1, < 5.9.12+2 more2026-03-16
CVE-2026-32267 [CRITICAL] CWE-863 CVE-2026-32267: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patch
nvd
CVE-2019-14280P3MEDIUMCVSS 5.3PoC≥ 2.0.2524, < 2.7.10≥ 3.0.0, < 3.2.62019-07-26
CVE-2019-14280 [MEDIUM] CWE-200 CVE-2019-14280: In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured to do so, potentially exposing personal/geolocation data to the public.
nvd
CVE-2025-68454P2HIGHCVSS 8.8≥ 4.0.0.1, < 4.16.17≥ 5.0.1, < 5.8.21+2 more2026-01-05
CVE-2025-68454 [HIGH] CWE-1336 CVE-2025-68454: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recom
nvd
CVE-2026-25495P2HIGHCVSS 8.8fixed in 4.16.18fixed in 5.8.22+2 more2026-02-09
CVE-2026-25495 [HIGH] CWE-89 CVE-2026-25495: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Con
nvd
CVE-2026-28697P2CRITICALCVSS 9.1fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28697 [CRITICAL] CWE-1336 CVE-2026-28697: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticate Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PH
nvd
CVE-2026-31857P2HIGHCVSS 8.8≥ 4.0.0.1, < 4.17.4≥ 5.0.1, < 5.9.9+2 more2026-03-11
CVE-2026-31857 [HIGH] CWE-94 CVE-2026-31857: Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulne Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any auth
nvd
CVE-2026-31858P3HIGHCVSS 8.8≥ 5.0.1, < 5.9.9v5.0.02026-03-11
CVE-2026-31858 [HIGH] CVE-2026-31858: Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) works on this controller because the fix was never applied to it.
nvd
CVE-2019-9554P3MEDIUMCVSS 6.1PoCv3.1.122019-12-31
CVE-2019-9554 [MEDIUM] CWE-79 CVE-2019-9554: In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when a In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an s/admin/entries/news/new URI.
nvd
CVE-2026-25497P3HIGHCVSS 8.8fixed in 4.17.0fixed in 5.9.0+2 more2026-02-09
CVE-2026-25497 [HIGH] CWE-639 CVE-2026-25497: Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.1 Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other
nvd
CVE-2025-54417P3HIGHCVSS 8.8≥ 4.13.8, < 4.16.3≥ 5.5.8, < 5.8.42025-08-09
CVE-2025-54417 [HIGH] CVE-2025-54417: Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 throu Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary fi
nvd
CVE-2022-29933P3HIGHCVSS 8.8≤ 3.7.362022-05-09
CVE-2022-29933 [HIGH] CWE-640 CVE-2022-29933: Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid user Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the account by providing a crafted HTTP header to the application while using the password reset functionality. Specifically, the attacker must send X-Forwarded-Host to the /index.php?p=admin/actions/u
nvd
CVE-2018-3814P3HIGHCVSS 8.8v2.6.30002018-01-01
CVE-2018-3814 [HIGH] CWE-434 CVE-2018-3814: Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Uploa Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension.
nvd
CVE-2025-68456P3CRITICALCVSS 9.1≥ 3.0.0, < 4.16.17≥ 5.0.1, < 5.8.21+1 more2026-01-05
CVE-2025-68456 [CRITICAL] CWE-202 CVE-2025-68456: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to miti
nvd
Craftcms Craft Cms vulnerabilities | cvebase