Craftcms Craft Cms vulnerabilities
93 known vulnerabilities affecting craftcms/craft_cms.
Total CVEs
93
CISA KEV
4
actively exploited
Public exploits
9
Exploited in wild
6
Severity breakdown
CRITICAL11HIGH30MEDIUM52
Vulnerabilities
Page 5 of 5
CVE-2017-8384P4MEDIUMCVSS 6.1≤ 2.6.29742017-05-01
CVE-2017-8384 [MEDIUM] CVE-2017-8384: Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSeg
Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052.
nvd
CVE-2020-19626P4MEDIUMCVSS 5.4v3.1.312021-03-26
CVE-2020-19626 [MEDIUM] CWE-79 CVE-2020-19626: Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbit
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
nvd
CVE-2023-33196P4MEDIUMCVSS 5.4≥ 4.0.1, < 4.4.7v4.0.02023-05-26
CVE-2023-33196 [MEDIUM] CWE-80 CVE-2023-33196: Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
nvd
CVE-2022-37250P4MEDIUMCVSS 5.4v4.2.0.12022-09-16
CVE-2022-37250 [MEDIUM] CWE-79 CVE-2022-37250: Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
nvd
CVE-2022-37248P4MEDIUMCVSS 5.4v4.2.0.12022-09-16
CVE-2022-37248 [MEDIUM] CWE-79 CVE-2022-37248: Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.
nvd
CVE-2022-37247P4MEDIUMCVSS 5.4v4.2.0.12022-09-16
CVE-2022-37247 [MEDIUM] CWE-79 CVE-2022-37247: Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields pa
Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
nvd
CVE-2022-37251P4MEDIUMCVSS 5.4v4.2.0.12022-09-16
CVE-2022-37251 [MEDIUM] CWE-79 CVE-2022-37251: Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts.
nvd
CVE-2023-36259P4MEDIUMCVSS 5.4fixed in 3.0.22024-01-30
CVE-2023-36259 [MEDIUM] CWE-79 CVE-2023-36259: Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attac
Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.
nvd
CVE-2026-25491P4MEDIUMCVSS 4.8≥ 5.0.0, < 5.8.212026-02-09
CVE-2026-25491 [MEDIUM] CWE-79 CVE-2026-25491: Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored X
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
nvd
CVE-2026-33161P4MEDIUMCVSS 4.3fixed in 4.17.8fixed in 5.9.14+2 more2026-03-24
CVE-2026-33161 [MEDIUM] CWE-200 CVE-2026-33161: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private
nvd
CVE-2017-8385P4MEDIUMCVSS 5.3≤ 2.6.29742017-05-01
CVE-2017-8385 [MEDIUM] CWE-640 CVE-2017-8385: Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email messag
Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
nvd
CVE-2024-45406P4MEDIUMCVSS 4.8≥ 5.0.0, < 5.1.22024-09-09
CVE-2024-45406 [MEDIUM] CWE-79 CVE-2024-45406: Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrum
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
nvd
CVE-2023-33194P4MEDIUMCVSS 4.8≥ 3.0.0, < 3.8.6≥ 4.0.1, < 4.4.62023-05-26
CVE-2023-33194 [MEDIUM] CWE-80 CVE-2023-33194: Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.
nvd
← Previous5 / 5