Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CraftCMS — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting CraftCMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Top products by CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cmsCWE-918 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cmsCWE-918 8.3AIHighAI2026-04-21
CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action — cmsCWE-862 4.3AIMediumAI2026-04-21
CVE-2026-32272 Craft Commerce: Blind SQL Injection via hasVariant/hasProduct — commerceCWE-89 9.8 -2026-04-13
CVE-2026-32271 Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget — commerceCWE-89 8.8 -2026-04-13
CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments — commerceCWE-200 5.3 -2026-04-13
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions — cmsCWE-285 4.3 -2026-03-24
CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users — cmsCWE-200 5.4 -2026-03-24
CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL — cmsCWE-639 5.3 -2026-03-24
CVE-2026-33159 Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users — cmsCWE-306 8.6 -2026-03-24
CVE-2026-33158 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) — cmsCWE-639 4.3 -2026-03-24
CVE-2026-33157 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 8.8 -2026-03-24
CVE-2026-33051 Craft CMS Vulnerable to Stored XSS in Revision Context Menu — cmsCWE-79 5.4 -2026-03-20
CVE-2026-32268 Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability — azure-blobCWE-862 4.3 -2026-03-18
CVE-2026-32266 Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability — google-cloudCWE-200 5.3 -2026-03-18
CVE-2026-32265 Amazon S3 for Craft CMS has an Information Disclosure vulnerability — aws-s3CWE-200 4.3 -2026-03-18
CVE-2026-32267 Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken() — cmsCWE-863 8.8AIHighAI2026-03-16
CVE-2026-32264 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController — cmsCWE-470 7.2AIHighAI2026-03-16
CVE-2026-32263 Craft CMS vulnerable to behavior injection RCE via EntryTypesController — cmsCWE-470 9.1AICriticalAI2026-03-16
CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController — cmsCWE-22 8.1AIHighAI2026-03-16
CVE-2026-32261 RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin — webhooksCWE-1336 7.5AIHighAI2026-03-16
CVE-2026-31867 Craft Commerce has a Potential IDOR in Commerce carts — commerceCWE-639 8.1AIHighAI2026-03-11
CVE-2026-31859 Craft has Reflective XSS via incomplete return URL sanitization — cmsCWE-79 6.1AIMediumAI2026-03-11
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection — cmsCWE-89 6.5AIMediumAI2026-03-11
CVE-2026-31857 CraftCMS has an RCE vulnerability via relational conditionals in the control panel — cmsCWE-94 8.8AIHighAI2026-03-11
CVE-2026-29177 Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout — commerceCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-29176 Craft Commerce has Stored XSS in Inventory Location Name — commerceCWE-79 4.8AIMediumAI2026-03-10
CVE-2026-29175 Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking — commerceCWE-79 6.1AIMediumAI2026-03-10
CVE-2026-29174 Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting — commerceCWE-89 8.8AIHighAI2026-03-10
CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table — commerceCWE-79 5.4AIMediumAI2026-03-10

This page lists every published CVE security advisory associated with CraftCMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.