cbcvebase.

Craftcms Craft Cms vulnerabilities

93 known vulnerabilities affecting craftcms/craft_cms.

Total CVEs
93
CISA KEV
4
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL11HIGH30MEDIUM52

Vulnerabilities

Page 3 of 5
CVE-2024-52291P3HIGHCVSS 7.2fixed in 4.12.5fixed in 5.4.6+2 more2024-11-13
CVE-2024-52291 [HIGH] CWE-22 CVE-2024-52291: Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access t
nvd
CVE-2019-15929P3CRITICALCVSS 9.8≤ 3.1.72019-10-24
CVE-2019-15929 [CRITICAL] CWE-640 CVE-2019-15929: In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like nor In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute force attempt on them.
nvd
CVE-2024-41800P3HIGHCVSS 7.5≥ 5.0.1, < 5.2.3v5.0.02024-07-25
CVE-2024-41800 [HIGH] CWE-287 CVE-2024-41800: Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times w Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.
nvd
CVE-2024-52292P3MEDIUMCVSS 6.5≥ 3.5.13, < 4.12.8≥ 5.0.0, < 5.4.92024-11-13
CVE-2024-52292 [MEDIUM] CWE-22 CVE-2024-52292: Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can
nvd
CVE-2026-27127P3MEDIUMCVSS 6.3≥ 3.5.1, < 4.16.19≥ 5.0.1, < 5.8.23+2 more2026-02-24
CVE-2026-27127 [MEDIUM] CVE-2026-27127: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns differe
nvd
CVE-2026-27129P3MEDIUMCVSS 6.5≥ 3.5.0, < 4.16.19≥ 5.0.1, < 5.8.23+1 more2026-02-24
CVE-2026-27129 [MEDIUM] CVE-2026-27129: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison t
nvd
CVE-2026-33158P3MEDIUMCVSS 6.5fixed in 4.17.8fixed in 5.9.14+2 more2026-03-24
CVE-2026-33158 [MEDIUM] CWE-639 CVE-2026-33158: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a prev
nvd
CVE-2022-37783P3HIGHCVSS 7.5≥ 3.0.0, ≤ 3.7.322022-12-05
CVE-2022-37783 [HIGH] CWE-522 CVE-2022-37783: All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate u All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFT_CSRF_TOKEN and a HTML hidden field called CRAFT_CSRF_TOKEN to avoid Cross Site Request Forgery attacks. The CRAFT_CSRF_TOKEN cookie discloses the password ha
nvd
CVE-2025-68437P3MEDIUMCVSS 6.8≥ 3.5.0, < 4.16.17≥ 5.0.1, < 5.8.21+1 more2026-01-05
CVE-2025-68437 [MEDIUM] CWE-918 CVE-2025-68437: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0 Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save__Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbi
nvd
CVE-2026-25492P3MEDIUMCVSS 6.5≥ 3.5.0, < 4.16.18≥ 5.0.0, < 5.8.222026-02-09
CVE-2026-25492 [MEDIUM] CWE-918 CVE-2026-25492: Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 thro Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstr
nvd
CVE-2026-25494P3MEDIUMCVSS 6.5fixed in 4.16.18fixed in 5.8.22+2 more2026-02-09
CVE-2026-25494 [MEDIUM] CWE-918 CVE-2026-25494: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 a Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers
nvd
CVE-2026-25493P3MEDIUMCVSS 6.5fixed in 4.16.18fixed in 5.8.22+2 more2026-02-09
CVE-2026-25493 [MEDIUM] CWE-918 CVE-2026-25493: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that poi
nvd
CVE-2026-28781P3MEDIUMCVSS 6.5fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28781 [MEDIUM] CWE-639 CVE-2026-28781: Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creat Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is au
nvd
CVE-2026-33159P3MEDIUMCVSS 6.5fixed in 4.17.8fixed in 5.9.14+2 more2026-03-24
CVE-2026-33159 [MEDIUM] CWE-306 CVE-2026-33159: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patc
nvd
CVE-2026-33162P3MEDIUMCVSS 6.5≥ 5.3.0, < 5.9.142026-03-24
CVE-2026-33162 [MEDIUM] CWE-285 CVE-2026-33162: Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an auth Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been pa
nvd
CVE-2025-68436P3MEDIUMCVSS 6.5≥ 4.0.0.1, < 4.16.17≥ 5.0.1, < 5.8.21+2 more2026-01-05
CVE-2025-68436 [MEDIUM] CWE-200 CVE-2025-68436: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0 Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the
nvd
CVE-2023-36260P3HIGHCVSS 7.5fixed in 4.6.1.12024-01-30
CVE-2023-36260 [HIGH] CWE-74 CVE-2023-36260: An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cau An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a repor
nvd
CVE-2018-20465P3HIGHCVSS 7.2≤ 3.0.342018-12-25
CVE-2018-20465 [HIGH] CWE-311 CVE-2018-20465: Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information vi Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as demonstrated by a {% string for craft.app.config.DB.user and craft.app.config.DB.password in the URI Format of the Site Settings, which causes a cleartext username and password to be displayed in a URI field.
nvd
CVE-2026-33160P4MEDIUMCVSS 5.3fixed in 4.17.8fixed in 5.9.14+2 more2026-03-24
CVE-2026-33160 [MEDIUM] CWE-639 CVE-2026-33160: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-ass
nvd
CVE-2026-29069P4MEDIUMCVSS 5.3fixed in 4.17.0fixed in 5.9.0+4 more2026-03-04
CVE-2026-29069 [MEDIUM] CWE-639 CVE-2026-29069: Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendA Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID.
nvd
Craftcms Craft Cms vulnerabilities | cvebase