目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

CraftCMS 厂商漏洞列表 / CVE 中文分析 89

CraftCMS 厂商相关 89 条 CVE 漏洞,含 AI 中文分析、POC、CVSS 评分与受影响产品。

Craft CMS 是一款基于 PHP 的内容管理系统,旨在为开发者提供灵活的建站体验。截至最新统计,其已收录 89 条 CVE,历史漏洞多集中于跨站脚本(XSS)、远程代码执行(RCE)及权限绕过。官方持续通过安全更新修复缺陷,并强调对输入验证和输出编码的重视。尽管存在一定攻击面,但其模块化架构允许用户针对性加固,整体安全性处于中等水平,需保持组件及时更新以应对潜在威胁。

64 件の結果 / 89フィルターをクリア
上位製品 CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDタイトルCVSS深刻度公開日
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cmsCWE-918 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cmsCWE-918 8.3AIHighAI2026-04-21
CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action — cmsCWE-862 4.3AIMediumAI2026-04-21
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions — cmsCWE-285 4.3 -2026-03-24
CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users — cmsCWE-200 5.4 -2026-03-24
CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL — cmsCWE-639 5.3 -2026-03-24
CVE-2026-33159 Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users — cmsCWE-306 8.6 -2026-03-24
CVE-2026-33158 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) — cmsCWE-639 4.3 -2026-03-24
CVE-2026-33157 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 8.8 -2026-03-24
CVE-2026-33051 Craft CMS Vulnerable to Stored XSS in Revision Context Menu — cmsCWE-79 5.4 -2026-03-20
CVE-2026-32267 Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken() — cmsCWE-863 8.8AIHighAI2026-03-16
CVE-2026-32264 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController — cmsCWE-470 7.2AIHighAI2026-03-16
CVE-2026-32263 Craft CMS vulnerable to behavior injection RCE via EntryTypesController — cmsCWE-470 9.1AICriticalAI2026-03-16
CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController — cmsCWE-22 8.1AIHighAI2026-03-16
CVE-2026-31859 Craft has Reflective XSS via incomplete return URL sanitization — cmsCWE-79 6.1AIMediumAI2026-03-11
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection — cmsCWE-89 6.5AIMediumAI2026-03-11
CVE-2026-31857 CraftCMS has an RCE vulnerability via relational conditionals in the control panel — cmsCWE-94 8.8AIHighAI2026-03-11
CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens — cmsCWE-352 6.5AIMediumAI2026-03-10
CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28783 Craft has a Twig Function Blocklist Bypass — cmsCWE-94 7.2AIHighAI2026-03-04
CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action — cmsCWE-639 6.5AIMediumAI2026-03-04
CVE-2026-28781 Craft Affected by Entries Authorship Spoofing via Mass Assignment — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28696 Craft affected by IDOR via GraphQL @parseRefs — cmsCWE-639 5.3AIMediumAI2026-03-04
CVE-2026-28695 Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution — cmsCWE-918 7.1AIHighAI2026-02-24
CVE-2026-27128 Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit — cmsCWE-367 5.3AIMediumAI2026-02-24
CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding — cmsCWE-367 5.9 -2026-02-24
CVE-2026-27126 Craft CMS has Stored XSS in Table Field via "HTML" Column Type — cmsCWE-79 4.8AIMediumAI2026-02-24

本页汇总了 CraftCMS 厂商截至目前公开的全部 89 条 CVE 漏洞。每条漏洞均包含 CVSS 评分、CWE 弱点分类、受影响产品与参考链接,并附带 AI 生成的中文分析以便快速判断风险。