cbcvebase.

Craftcms Craft Cms vulnerabilities

93 known vulnerabilities affecting craftcms/craft_cms.

Total CVEs
93
CISA KEV
4
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL11HIGH30MEDIUM52

Vulnerabilities

Page 4 of 5
CVE-2026-33051P4MEDIUMCVSS 5.4≥ 5.9.0, < 5.9.112026-03-20
CVE-2026-33051 [MEDIUM] CWE-79 CVE-2026-33051: Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revisio Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS p
nvd
CVE-2026-32262P4MEDIUMCVSS 4.3≥ 4.0.0.1, < 4.17.5≥ 5.0.1, < 5.9.11+2 more2026-03-16
CVE-2026-32262 [MEDIUM] CWE-22 CVE-2026-32262: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenti
nvd
CVE-2023-33495P4MEDIUMCVSS 6.1≤ 4.4.92023-06-20
CVE-2023-33495 [MEDIUM] CWE-79 CVE-2023-33495: Craft CMS through 4.4.9 is vulnerable to HTML Injection. Craft CMS through 4.4.9 is vulnerable to HTML Injection.
nvd
CVE-2026-31859P4MEDIUMCVSS 6.1≥ 4.15.3, < 4.17.3≥ 5.7.5, < 5.9.72026-03-11
CVE-2026-31859 [MEDIUM] CVE-2026-31859: Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) con
nvd
CVE-2023-2817P4MEDIUMCVSS 5.4≤ 4.4.11vversions prior or equal to version 4.4.112023-05-26
CVE-2023-2817 [MEDIUM] CWE-79 CVE-2023-2817: A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4. A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.
nvd
CVE-2026-27128P4MEDIUMCVSS 4.8fixed in 4.16.19fixed in 5.8.23+2 more2026-02-24
CVE-2026-27128 [MEDIUM] CWE-367 CVE-2026-27128: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then
nvd
CVE-2021-27902P4MEDIUMCVSS 6.1fixed in 3.6.02021-06-30
CVE-2021-27902 [MEDIUM] CWE-79 CVE-2021-27902: An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerabil An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with front-end forms that accepted user uploads.
nvd
CVE-2019-12823P4MEDIUMCVSS 6.1fixed in 3.1.312019-06-18
CVE-2019-12823 [MEDIUM] CWE-79 CVE-2019-12823: Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS. Craft CMS before 3.1.31 does not properly filter XML feeds and thus allowing XSS.
nvd
CVE-2019-17496P4MEDIUMCVSS 6.1fixed in 3.3.82019-10-11
CVE-2019-17496 [MEDIUM] CWE-79 CVE-2019-17496: Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletio Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
nvd
CVE-2023-33195P4MEDIUMCVSS 6.1≥ 4.3.0, < 4.4.62023-05-27
CVE-2023-33195 [MEDIUM] CWE-79 CVE-2023-33195: Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
nvd
CVE-2017-8383P4MEDIUMCVSS 5.3≤ 2.6.29742017-05-01
CVE-2017-8383 [MEDIUM] CVE-2017-8383: Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
nvd
CVE-2023-31144P4MEDIUMCVSS 6.1≥ 3.0.0, ≤ 3.8.3≥ 4.0.0, ≤ 4.4.32023-05-09
CVE-2023-31144 [MEDIUM] CWE-79 CVE-2023-31144: Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.
nvd
CVE-2023-30177P4MEDIUMCVSS 6.1v3.7.592023-04-25
CVE-2023-30177 [MEDIUM] CWE-79 CVE-2023-30177: CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code int CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
nvd
CVE-2023-23927P4MEDIUMCVSS 5.4fixed in 4.3.72023-03-03
CVE-2023-23927 [MEDIUM] CWE-79 CVE-2023-23927: Craft is a platform for creating digital experiences. When you insert a payload inside a label name Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7.
nvd
CVE-2023-33197P4MEDIUMCVSS 5.4fixed in 4.4.62023-05-26
CVE-2023-33197 [MEDIUM] CWE-80 CVE-2023-33197: Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
nvd
CVE-2022-37246P4MEDIUMCVSS 5.4v4.2.0.12022-09-21
CVE-2022-37246 [MEDIUM] CWE-79 CVE-2022-37246: Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/Bas Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
nvd
CVE-2026-25496P4MEDIUMCVSS 4.8fixed in 4.16.18fixed in 5.8.22+2 more2026-02-09
CVE-2026-25496 [MEDIUM] CWE-79 CVE-2026-25496: Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 an Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, allowing script execution when the Number field is display
nvd
CVE-2026-27126P4MEDIUMCVSS 4.8fixed in 4.16.19fixed in 5.8.23+2 more2026-02-24
CVE-2026-27126 [MEDIUM] CWE-79 CVE-2026-27126: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 thro Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another
nvd
CVE-2026-28782P4MEDIUMCVSS 4.3fixed in 4.17.0fixed in 5.9.0+2 more2026-03-04
CVE-2026-28782 [MEDIUM] CWE-639 CVE-2026-28782: Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restricti
nvd
CVE-2026-29113P4MEDIUMCVSS 4.3≥ 4.0.0, < 4.17.4≥ 5.0.0, < 5.9.72026-03-10
CVE-2026-29113 [MEDIUM] CWE-352 CVE-2026-29113: Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a
nvd
Craftcms Craft Cms vulnerabilities | cvebase