Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

craftcms — Vulnerabilities & Security Advisories 110

Browse all 110 CVE security advisories affecting craftcms. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

CVE IDTitleCVSSSeverityPublished
CVE-2026-50282 Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves — cmsCWE-862--2026-07-02
CVE-2026-50281 Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements — cmsCWE-915--2026-07-02
CVE-2026-50280 Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check — cmsCWE-284--2026-07-01
CVE-2026-50279 Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap — cmsCWE-285--2026-07-01
CVE-2026-55794 Craft CMS: Potential authenticated Remote Code Execution via referrer redirect — cmsCWE-1336--2026-07-01
CVE-2026-55792 Craft CMS: Sensitive File Disclosure / Server-Side File Read — cmsCWE-200--2026-07-01
CVE-2026-55791 Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs — cmsCWE-918--2026-07-01
CVE-2026-55790 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget — cmsCWE-79--2026-07-01
CVE-2026-50284 Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets — cmsCWE-862--2026-07-01
CVE-2026-50283 Craft CMS: Unauthorized Deletion of Source Assets During File Replacement — cmsCWE-862--2026-07-01
CVE-2026-55793 Craft CMS: Stored XSS via Structure entry title in table view — cmsCWE-79--2026-07-01
CVE-2026-56394 Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter — cmsCWE-22 6.5 Medium2026-06-21
CVE-2026-56393 Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options — cmsCWE-79 4.8 Medium2026-06-21
CVE-2026-56385 Craft CMS - Authorization Bypass in assets/preview-file Endpoint — cmsCWE-639 4.3 Medium2026-06-21
CVE-2026-56384 Craft CMS - Missing Authorization in assets/preview-thumb Endpoint — cmsCWE-862 4.3 Medium2026-06-21
CVE-2026-56383 Craft CMS - Stored XSS in Table Field via Row Heading Column Type — cmsCWE-79 4.8 Medium2026-06-21
CVE-2026-56382 Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController — cmsCWE-94 7.2 High2026-06-21
CVE-2026-56381 Craft CMS - Stored XSS via User Group Name in User Permissions Page — cmsCWE-79 4.8 Medium2026-06-21
CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-479--2026-05-12
CVE-2026-44012 Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure — cmsCWE-862--2026-05-12
CVE-2026-44010 Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure — cmsCWE-862--2026-05-12
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cmsCWE-918 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cmsCWE-918 8.3AIHighAI2026-04-21
CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action — cmsCWE-862 4.3AIMediumAI2026-04-21
CVE-2026-32272 Craft Commerce: Blind SQL Injection via hasVariant/hasProduct — commerceCWE-89 9.8 -2026-04-13
CVE-2026-32271 Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget — commerceCWE-89 8.8 -2026-04-13
CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments — commerceCWE-200 5.3 -2026-04-13
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions — cmsCWE-285 4.3 -2026-03-24
CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users — cmsCWE-200 5.4 -2026-03-24
CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL — cmsCWE-639 5.3 -2026-03-24

This page lists every published CVE security advisory associated with craftcms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.