Security Intel Hub 28+

Curated security advisories, vulnerability analyses, and exploit write-ups — auto-cleaned and translated to English. Updated continuously.

Filter

KEV only

Verified PoC

Clear filters

High

Craft CMS Path Traversal Vulnerability Fix Analysis

GHSA-95wr-3f2v-v2wh · github.com · 2026-04-22

Craft CMS < latest patched version

High

CraftCMS Host Header Injection Leads to SSRF via resource-js Endpoint

github.com · 2026-04-22

Craft CMS >= 5.0.0-RC1, <= 5.9.14 · Craft CMS >= 4.0.0-RC1, <= 4.17.8

Medium

Craft CMS User Group Removal Authorization Bypass (CVE-2026-41128)

CVE-2026-41128 · github.com · 2026-04-22

Craft CMS 5.6.0 · Craft CMS 5.9.14

High

Craft CMS Authorization Bypass Fix in UsersController (GHS-1q2f-59p3-p3m3)

GHSA-jq2f-59pj-p3m3 · github.com · 2026-04-22

Craft CMS < latest patch version for commit b135384

High

CraftCMS File Upload Protocol Bypass Fix Analysis

GHSA-3m9m-24vh-39wx · github.com · 2026-04-22

craftcms/cms

High

Craft CMS Element Index Blind SQL Injection (CVE-2026-25495)

CVE-2026-25495 · github.com · 2026-04-18

craftcms/cms 5.0.0-RC1 to 5.8.21 · craftcms/cms 4.0.0-RC1 to 4.16.17

High

Control Panel SQL Injection Vulnerability and Fix

github.com · 2026-04-18

Craft Commerce <= 5.5.4

Low

Unauthenticated Information Disclosure in Craft Commerce (CVE-2025-32270)

CVE-2025-32270 · github.com · 2026-04-18

Craft Commerce 5.0.0 to 5.5.4 · Craft Commerce 4.0.0 to 4.10.2

High

CraftCMS Commerce RCE via SQLi and PHP Deserialization (CVE-2026-52271)

CVE-2026-52271 · github.com · 2026-04-18

craftcms/commerce >= 4.0.0, <= 4.10.2 · craftcms/commerce >= 5.0.0, <= 5.5.4

Medium

Craft CMS CVE-2026-27129 IPv6 SSRF Protection Bypass via gethostbyname

GHSA-v2gc-rm6g-wrw9 · github.com · 2026-02-24

Craft CMS >= 5.0.0-RC1 <= 5.8.22 · Craft CMS >= 3.5.0 <= 4.16.18

Unknown

Craft CMS SSRF Fix via IPv6 Prefix Filtering (GHSA-v2gc-rm6g-wrw9)

GHSA-v2gc-rm6g-wrw9 · github.com · 2026-02-24

Craft CMS < 5.9.12 · Craft CMS < 4.16.19

Low

Craft CMS Stored XSS Vulnerability (CVE-2026-27126) in editableTable Component

CVE-2026-27126 · github.com · 2026-02-24

Craft CMS >= 4.5.0-RC1, <= 4.16.18 · Craft CMS >= 5.0.0-RC1, <= 5.8.22

Critical

Craft CMS Admin RCE via Yii2 Behavior Injection (CVE-2026-25498)

CVE-2026-25498 · github.com · 2026-02-10

Craft CMS >= 5.0.0-RC1, <= 5.8.21 · Craft CMS >= 4.0.0-RC1, <= 4.16.17

Medium

CVE-2026-25492: GraphQL SSRF Exfiltrates AWS Credentials

CVE-2026-25492 · github.com · 2026-02-10

Craft CMS >= 5.0.0-RC1, <= 5.8.21 · Craft CMS >= 3.5.0, <= 4.16.17

Low

Craft CMS Stored XSS in Number Field Prefix/Suffix (CVE-2026-25496)

CVE-2026-25496 · github.com · 2026-02-10

Craft CMS >= 5.0.0-RC1, <= 5.8.21 · Craft CMS >= 4.0.0-RC1, <= 4.16.17

High

Craft CMS GraphQL Privilege Escalation via Asset Mutation (CVE-2026-25497)

CVE-2026-25497 · github.com · 2026-02-10

craftcms/cms >= 5.0.0-RC1, < 5.9.0-beta.1 · craftcms/cms >= 4.0.0-RC1, < 4.17.0-beta.1

Medium

CVE-2026-25493: SSRF via HTTP Redirect in GraphQL Asset Mutation

GHSA-8jr8-7hr4-vhfx · github.com · 2026-02-10

Craft CMS >= 5.0.0-RC1, <= 5.8.21 · Craft CMS >= 4.0.0-RC1, <= 4.16.17

Medium

Craft CMS Multiple Controllers XSS Fix via Html::encode

github.com · 2026-02-04

craftcms/commerce

Medium

Craft Commerce Stored XSS and Privilege Escalation via Tax Zones (CVE-2026-25489)

CVE-2026-25489 · github.com · 2026-02-04

Craft Commerce >= 5.0.0-RC1, <= 5.5.1 · Craft Commerce >= 4.0.0-RC1, <= 4.10.0

Medium

Craft Commerce Stored XSS in Order Status Widget (CVE-2026-25482)

CVE-2026-25482 · github.com · 2026-02-04

craftcms/commerce >= 5.0.0 <= 5.5.1 · craftcms/commerce >= 4.0.0-RC1 <= 4.10.0

All articles are auto-cleaned (markdown extraction + LLM noise removal) and translated to English by our offline pipeline. Source URL is always preserved at the bottom of each article.

Want a specific source covered? Email us — we add new feeds weekly.

Goal Reached Thanks to every supporter — we hit 100%!

Security Intel Hub 28+