cbcvebase.

Craftcms Craft Cms vulnerabilities

93 known vulnerabilities affecting craftcms/craft_cms.

Total CVEs
93
CISA KEV
4
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL11HIGH30MEDIUM52

Vulnerabilities

Page 2 of 5
CVE-2026-28783P3CRITICALCVSS 9.1fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28783 [CRITICAL] CWE-94 CVE-2026-28783: Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS imple Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a co
nvd
CVE-2021-27903P3CRITICALCVSS 9.8fixed in 3.6.72021-06-30
CVE-2021-27903 [CRITICAL] CWE-862 CVE-2021-27903: An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Ex An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restrict administrative changes (if an attacker were somehow able to hijack an administrator's session).
nvd
CVE-2024-21622P3HIGHCVSS 8.8≥ 3.0.0, < 3.9.6≥ 4.0.0, ≤ 4.5.152024-01-03
CVE-2024-21622 [HIGH] CWE-269 CVE-2024-21622: Craft is a content management system. This is a potential moderate impact, low complexity privilege Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
nvd
CVE-2017-9516P4MEDIUMCVSS 5.4PoC≤ 2.6.29812017-06-08
CVE-2017-9516 [MEDIUM] CWE-79 CVE-2017-9516: Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
nvd
CVE-2026-25498P3HIGHCVSS 7.2fixed in 4.16.18fixed in 5.8.22+2 more2026-02-09
CVE-2026-25498 [HIGH] CVE-2026-25498: Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0. Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allo
nvd
CVE-2025-68455P3HIGHCVSS 7.2≥ 4.0.0.1, < 4.16.17≥ 5.0.1, < 5.8.21+2 more2026-01-05
CVE-2025-68455 [HIGH] CWE-470 CVE-2025-68455: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched version
nvd
CVE-2026-33157P3HIGHCVSS 7.2≥ 5.6.0, < 5.9.132026-03-24
CVE-2026-33157 [HIGH] CWE-470 CVE-2026-33157: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remot Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various Field
nvd
CVE-2023-32679P3HIGHCVSS 7.2≥ 4.0.0, < 4.4.62023-05-19
CVE-2023-32679 [HIGH] CWE-74 CVE-2023-32679: Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestri Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly withou
nvd
CVE-2025-46731P3HIGHCVSS 7.2≥ 4.1.0, < 4.14.13≥ 5.1.0, < 5.6.15+2 more2025-05-05
CVE-2025-46731 [HIGH] CWE-1336 CVE-2025-46731: Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and o Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13
nvd
CVE-2025-57811P3HIGHCVSS 7.2≥ 4.1.0, < 4.16.6≥ 5.1.0, < 5.8.7+2 more2025-08-25
CVE-2025-57811 [HIGH] CWE-1336 CVE-2025-57811: Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
nvd
CVE-2023-30130P3HIGHCVSS 8.8v3.8.12023-05-12
CVE-2023-30130 [HIGH] CWE-94 CVE-2023-30130: An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
nvd
CVE-2026-28784P3HIGHCVSS 7.2fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28784 [HIGH] CWE-1336 CVE-2026-28784: Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a m Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craf
nvd
CVE-2023-40035P3HIGHCVSS 7.2≥ 3.0.0, < 3.8.15≥ 4.0.0, < 4.4.15+1 more2023-08-23
CVE-2023-40035 [HIGH] CWE-74 CVE-2023-40035: Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validate Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_
nvd
CVE-2026-28695P3HIGHCVSS 7.2fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28695 [HIGH] CVE-2026-28695: Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined w
nvd
CVE-2026-32264P3HIGHCVSS 7.2≥ 4.0.0.1, < 4.17.5≥ 5.0.1, < 5.9.11+2 more2026-03-16
CVE-2026-32264 [HIGH] CWE-470 CVE-2026-32264: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This
nvd
CVE-2018-20418P4MEDIUMCVSS 4.8PoCv3.0.252018-12-24
CVE-2018-20418 [MEDIUM] CWE-79 CVE-2018-20418: index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title fr index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
nvd
CVE-2023-30179P3HIGHCVSS 7.2v3.7.592023-06-13
CVE-2023-30179 [HIGH] CWE-94 CVE-2023-30179: CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated att CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrator
nvd
CVE-2024-52293P3HIGHCVSS 7.2fixed in 4.12.2fixed in 5.4.3+2 more2024-11-13
CVE-2024-52293 [HIGH] CWE-22 CVE-2024-52293: Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePat Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
nvd
CVE-2026-28696P3HIGHCVSS 7.5fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28696 [HIGH] CWE-639 CVE-2026-28696: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL dir Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The imple
nvd
CVE-2026-32263P3HIGHCVSS 7.2≥ 5.6.0, < 5.9.112026-03-16
CVE-2026-32263 [HIGH] CWE-470 CVE-2026-32263: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/ Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vect
nvd
Craftcms Craft Cms vulnerabilities | cvebase