Craftcms Craft Cms vulnerabilities

CVE-2025-57811 [MEDIUM] CWE-1336 CVE-2025-57811: Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.

CVE-2025-54417 [MEDIUM] CVE-2025-54417: Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 throu Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary

CVE-2025-35939 [MEDIUM] CWE-472 CVE-2025-35939: Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named

CVE-2025-46731 [HIGH] CWE-1336 CVE-2025-46731: Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and o Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13

CVE-2025-32432 [CRITICAL] CVE-2025-32432: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.1

CVE-2025-23209 [HIGH] CWE-94 CVE-2025-23209: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability

CVE-2024-56145 [CRITICAL] CWE-94 CVE-2024-56145: Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.

CVE-2024-52293 [HIGH] CWE-22 CVE-2024-52293: Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePat Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.

CVE-2024-52291 [HIGH] CWE-22 CVE-2024-52291: Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access t

CVE-2024-52292 [MEDIUM] CWE-22 CVE-2024-52292: Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can

CVE-2024-45406 [MEDIUM] CWE-79 CVE-2024-45406: Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrum Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.

CVE-2024-41800 [HIGH] CWE-287 CVE-2024-41800: Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times w Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.

CVE-2024-37843 [CRITICAL] CWE-89 CVE-2024-37843: Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.

CVE-2023-36260 [HIGH] CWE-74 CVE-2023-36260: An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cau An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a repor

CVE-2023-36259 [MEDIUM] CWE-79 CVE-2023-36259: Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attac Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.

CVE-2024-21622 [HIGH] CWE-269 CVE-2024-21622: Craft is a content management system. This is a potential moderate impact, low complexity privilege Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

CVE-2023-41892 [CRITICAL] CWE-94 CVE-2023-41892: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity atta Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.

CVE-2023-40035 [HIGH] CWE-74 CVE-2023-40035: Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validate Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_

CVE-2023-33495 [MEDIUM] CWE-79 CVE-2023-33495: Craft CMS through 4.4.9 is vulnerable to HTML Injection. Craft CMS through 4.4.9 is vulnerable to HTML Injection.

CVE-2023-30179 [HIGH] CWE-94 CVE-2023-30179: CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated att CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrator