Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CraftCMS — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting CraftCMS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Found 20 results / 89Clear Filters
Top products by CraftCMS: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-32272 Craft Commerce: Blind SQL Injection via hasVariant/hasProduct — commerceCWE-89 9.8 -2026-04-13
CVE-2026-32271 Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget — commerceCWE-89 8.8 -2026-04-13
CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments — commerceCWE-200 5.3 -2026-04-13
CVE-2026-31867 Craft Commerce has a Potential IDOR in Commerce carts — commerceCWE-639 8.1AIHighAI2026-03-11
CVE-2026-29177 Craft Commerce has Stored XSS in Craft Commerce Order Details Slideout — commerceCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-29176 Craft Commerce has Stored XSS in Inventory Location Name — commerceCWE-79 4.8AIMediumAI2026-03-10
CVE-2026-29175 Multiple Stored XSS in Commerce Inventory Page Leading to Session Hijacking — commerceCWE-79 6.1AIMediumAI2026-03-10
CVE-2026-29174 Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting — commerceCWE-89 8.8AIHighAI2026-03-10
CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table — commerceCWE-79 5.4AIMediumAI2026-03-10
CVE-2026-29172 Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting — commerceCWE-89 8.8AIHighAI2026-03-10
CVE-2026-25522 Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25490 Craft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25489 Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25488 Craft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25486 Craft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25485 Craft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege Escalation — commerceCWE-79 4.8AIMediumAI2026-02-03
CVE-2026-25484 Craft Commerce has Stored XSS in Product Type Name — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25483 Craft Commerce has Stored XSS via Order Status Message with potential database exfiltration — commerceCWE-79 5.4AIMediumAI2026-02-03
CVE-2026-25482 Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget) — commerceCWE-79 5.4AIMediumAI2026-02-03

This page lists every published CVE security advisory associated with CraftCMS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.