Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CraftCMS — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting CraftCMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Found 64 results / 89Clear Filters
Top products by CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-25498 Craft has a potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 7.2AIHighAI2026-02-09
CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation — cmsCWE-639 8.8AIHighAI2026-02-09
CVE-2026-25496 Craft has a stored XSS in Number Prefix & Suffix Fields — cmsCWE-79 5.4AIMediumAI2026-02-09
CVE-2026-25495 Craft has a SQL Injection in Element Indexes via criteria[orderBy] — cmsCWE-89 8.8AIHighAI2026-02-09
CVE-2026-25494 Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation — cmsCWE-918 7.5AIHighAI2026-02-09
CVE-2026-25493 Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect — cmsCWE-918 9.1AICriticalAI2026-02-09
CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host — cmsCWE-918 6.5AIMediumAI2026-02-09
CVE-2026-25491 Craft has a Stored XSS in Entry Types Name — cmsCWE-79 5.4AIMediumAI2026-02-09
CVE-2025-68456 Unauthenticated Craft CMS users can trigger a database backup — cmsCWE-770 9.1 -2026-01-05
CVE-2025-68455 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 7.2 -2026-01-05
CVE-2025-68454 Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI — cmsCWE-1336 7.2 -2026-01-05
CVE-2025-68437 Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation — cmsCWE-918 9.1 -2026-01-05
CVE-2025-68436 Craft CMS vulnerable to potential information disclosure via unchecked asset relocation — cmsCWE-200 6.5 -2026-01-05
CVE-2025-57811 Craft Potential Remote Code Execution via Twig SSTI — cmsCWE-1336 9.8AICriticalAI2025-08-25
CVE-2025-54417 Craft contains a theoretical bypass for CVE-2025-23209 — cmsCWE-94 6.6 -2025-08-09
CVE-2025-46731 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI — cmsCWE-1336 7.2AIHighAI2025-05-05
CVE-2025-32432 Craft CMS Allows Remote Code Execution — cmsCWE-94 10.0 Critical2025-04-25
CVE-2025-23209 Potential RCE with a compromised security key in craft/cms — cmsCWE-94 8.1 High2025-01-18
CVE-2024-56145 RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms — cmsCWE-94 9.8 -2024-12-18
CVE-2024-52291 Craft has a Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution — cmsCWE-22 8.5 High2024-11-13
CVE-2024-52292 Craft Allows Attackers to Read Arbitrary System Files — cmsCWE-552 7.7 High2024-11-13
CVE-2024-52293 Craft has a Potential Remote Code Execution via missing path normalization & Twig SSTI — cmsCWE-22 7.2 High2024-11-13
CVE-2024-45406 Craft CMS stored XSS in breadcrumb list and title fields — cmsCWE-80 5.5 Medium2024-09-09
CVE-2024-41800 Craft CMS Allows TOTP Token To Stay Valid After Use — cmsCWE-287 4.8 Medium2024-07-25
CVE-2024-21622 Craft CMS Privilege Escalation — cmsCWE-269 5.4 Medium2024-01-03
CVE-2023-41892 Craft CMS Remote Code Execution vulnerability — cmsCWE-94 10.0 Critical2023-09-13
CVE-2023-40035 Craft CMS vulnerable to Remote Code Execution via validatePath bypass — cmsCWE-74 7.2 High2023-08-23
CVE-2023-33195 Craft CMS XSS in RSS widget feed — cmsCWE-79 5.0 Medium2023-05-27
CVE-2023-33194 CraftCMS stored XSS in Quick Post widget error message — cmsCWE-80 3.7 Low2023-05-26
CVE-2023-33196 Craft CMS stored XSS in review volume — cmsCWE-80 5.5 Medium2023-05-26

This page lists every published CVE security advisory associated with CraftCMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.