Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CraftCMS — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting CraftCMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Top products by CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-29172 Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting — commerceCWE-89 8.8AIHighAI2026-03-10
CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens — cmsCWE-352 6.5AIMediumAI2026-03-10
CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28783 Craft has a Twig Function Blocklist Bypass — cmsCWE-94 7.2AIHighAI2026-03-04
CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action — cmsCWE-639 6.5AIMediumAI2026-03-04
CVE-2026-28781 Craft Affected by Entries Authorship Spoofing via Mass Assignment — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28696 Craft affected by IDOR via GraphQL @parseRefs — cmsCWE-639 5.3AIMediumAI2026-03-04
CVE-2026-28695 Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution — cmsCWE-918 7.1AIHighAI2026-02-24
CVE-2026-27128 Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit — cmsCWE-367 5.3AIMediumAI2026-02-24
CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding — cmsCWE-367 5.9 -2026-02-24
CVE-2026-27126 Craft CMS has Stored XSS in Table Field via "HTML" Column Type — cmsCWE-79 4.8AIMediumAI2026-02-24
CVE-2026-25498 Craft has a potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 7.2AIHighAI2026-02-09
CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation — cmsCWE-639 8.8AIHighAI2026-02-09
CVE-2026-25496 Craft has a stored XSS in Number Prefix & Suffix Fields — cmsCWE-79 5.4AIMediumAI2026-02-09
CVE-2026-25495 Craft has a SQL Injection in Element Indexes via criteria[orderBy] — cmsCWE-89 8.8AIHighAI2026-02-09
CVE-2026-25494 Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation — cmsCWE-918 7.5AIHighAI2026-02-09
CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect — cmsCWE-918 9.1AICriticalAI2026-02-09
CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host — cmsCWE-918 6.5AIMediumAI2026-02-09
CVE-2026-25491 Craft has a Stored XSS in Entry Types Name — cmsCWE-79 5.4AIMediumAI2026-02-09
CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution — CraftCMSCWE-502 9.8 Critical2026-02-03
CVE-2026-25522 Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25490 Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25488 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25486 Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25485 Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03

This page lists every published CVE security advisory associated with CraftCMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.