Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CraftCMS — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting CraftCMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Top products by CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-25484 Craft Commerce has Stored XSS in Product Type Name — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25483 Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25482 Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget) — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2025-68456 Unauthenticated Craft CMS users can trigger a database backup — cmsCWE-770 9.1 -2026-01-05
CVE-2025-68455 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 7.2 -2026-01-05
CVE-2025-68454 Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI — cmsCWE-1336 7.2 -2026-01-05
CVE-2025-68437 Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation — cmsCWE-918 9.1 -2026-01-05
CVE-2025-68436 Craft CMS vulnerable to potential information disclosure via unchecked asset relocation — cmsCWE-200 6.5 -2026-01-05
CVE-2025-57811 Craft Potential Remote Code Execution via Twig SSTI — cmsCWE-1336 9.8AICriticalAI2025-08-25
CVE-2025-54417 Craft contains a theoretical bypass for CVE-2025-23209 — cmsCWE-94 6.6 -2025-08-09
CVE-2025-46731 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI — cmsCWE-1336 7.2AIHighAI2025-05-05
CVE-2025-32432 Craft CMS Allows Remote Code Execution — cmsCWE-94 10.0 Critical2025-04-25
CVE-2025-23209 Potential RCE with a compromised security key in craft/cms — cmsCWE-94 8.1 High2025-01-18
CVE-2024-56145 RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms — cmsCWE-94 9.8 -2024-12-18
CVE-2024-52291 Craft has a Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution — cmsCWE-22 8.5 High2024-11-13
CVE-2024-52292 Craft Allows Attackers to Read Arbitrary System Files — cmsCWE-552 7.7 High2024-11-13
CVE-2024-52293 Craft has a Potential Remote Code Execution via missing path normalization & Twig SSTI — cmsCWE-22 7.2 High2024-11-13
CVE-2024-45406 Craft CMS stored XSS in breadcrumb list and title fields — cmsCWE-80 5.5 Medium2024-09-09
CVE-2024-41800 Craft CMS Allows TOTP Token To Stay Valid After Use — cmsCWE-287 4.8 Medium2024-07-25
CVE-2024-21622 Craft CMS Privilege Escalation — cmsCWE-269 5.4 Medium2024-01-03
CVE-2023-41892 Craft CMS Remote Code Execution vulnerability — cmsCWE-94 10.0 Critical2023-09-13
CVE-2023-40035 Craft CMS vulnerable to Remote Code Execution via validatePath bypass — cmsCWE-74 7.2 High2023-08-23
CVE-2023-33195 Craft CMS XSS in RSS widget feed — cmsCWE-79 5.0 Medium2023-05-27
CVE-2023-33194 CraftCMS stored XSS in Quick Post widget error message — cmsCWE-80 3.7 Low2023-05-26
CVE-2023-33196 Craft CMS stored XSS in review volume — cmsCWE-80 5.5 Medium2023-05-26
CVE-2023-33197 Craft CMS stored XSS in indexedVolumes — cmsCWE-80 5.5 Medium2023-05-26
CVE-2023-32679 Remote Code Execution via unrestricted file extension in Craft CMS — cmsCWE-74 7.2 High2023-05-19
CVE-2023-31144 Craft CMS vulnerable to cross site scripting in RSS feed widget — cmsCWE-79 6.1 Medium2023-05-09
CVE-2023-23927 Craft CMS stored cross-site scripting vulnerability — cmsCWE-79 6.1 Medium2023-03-03

This page lists every published CVE security advisory associated with CraftCMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.