Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

craftcms — Vulnerabilities & Security Advisories 89

Browse all 89 CVE security advisories affecting craftcms. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Craft CMS is a PHP-based content management system designed for developers and agencies to build custom websites and applications. With 89 recorded Common Vulnerabilities and Exposures (CVEs), the platform has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation, insecure deserialization, and flawed access control mechanisms within the application’s core and third-party plugins. While the development team actively releases security patches, the high volume of past incidents highlights the risks associated with complex plugin ecosystems and legacy codebases. Users must prioritize regular updates and rigorous code audits to mitigate these threats. The platform’s flexibility comes with the responsibility of maintaining strict security hygiene, as unpatched instances remain vulnerable to exploitation by automated scanners and targeted attackers seeking administrative access or data exfiltration.

Found 64 results / 89Clear Filters
Top products by craftcms: cms commerce CraftCMS webhooks aws-s3 google-cloud azure-blob
CVE IDTitleCVSSSeverityPublished
CVE-2026-41130 Craft CMS has a host header injection leading to SSRF via resource-js endpoint — cmsCWE-918 10.0AICriticalAI2026-04-21
CVE-2026-41129 Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations — cmsCWE-918 8.3AIHighAI2026-04-21
CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action — cmsCWE-862 4.3AIMediumAI2026-04-21
CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions — cmsCWE-285 4.3 -2026-03-24
CVE-2026-33161 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users — cmsCWE-200 5.4 -2026-03-24
CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL — cmsCWE-639 5.3 -2026-03-24
CVE-2026-33159 Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users — cmsCWE-306 8.6 -2026-03-24
CVE-2026-33158 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR) — cmsCWE-639 4.3 -2026-03-24
CVE-2026-33157 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior — cmsCWE-470 8.8 -2026-03-24
CVE-2026-33051 Craft CMS Vulnerable to Stored XSS in Revision Context Menu — cmsCWE-79 5.4 -2026-03-20
CVE-2026-32267 Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken() — cmsCWE-863 8.8AIHighAI2026-03-16
CVE-2026-32264 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController — cmsCWE-470 7.2AIHighAI2026-03-16
CVE-2026-32263 Craft CMS vulnerable to behavior injection RCE via EntryTypesController — cmsCWE-470 9.1AICriticalAI2026-03-16
CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController — cmsCWE-22 8.1AIHighAI2026-03-16
CVE-2026-31859 Craft has Reflective XSS via incomplete return URL sanitization — cmsCWE-79 6.1AIMediumAI2026-03-11
CVE-2026-31858 CraftCMS's `ElementSearchController` Affected by Blind SQL Injection — cmsCWE-89 6.5AIMediumAI2026-03-11
CVE-2026-31857 CraftCMS has an RCE vulnerability via relational conditionals in the control panel — cmsCWE-94 8.8AIHighAI2026-03-11
CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens — cmsCWE-352 6.5AIMediumAI2026-03-10
CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28783 Craft has a Twig Function Blocklist Bypass — cmsCWE-94 7.2AIHighAI2026-03-04
CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action — cmsCWE-639 6.5AIMediumAI2026-03-04
CVE-2026-28781 Craft Affected by Entries Authorship Spoofing via Mass Assignment — cmsCWE-639 8.1AIHighAI2026-03-04
CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-28696 Craft affected by IDOR via GraphQL @parseRefs — cmsCWE-639 5.3AIMediumAI2026-03-04
CVE-2026-28695 Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget — cmsCWE-1336 7.2AIHighAI2026-03-04
CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution — cmsCWE-918 7.1AIHighAI2026-02-24
CVE-2026-27128 Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit — cmsCWE-367 5.3AIMediumAI2026-02-24
CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding — cmsCWE-367 5.9 -2026-02-24
CVE-2026-27126 Craft CMS has Stored XSS in Table Field via "HTML" Column Type — cmsCWE-79 4.8AIMediumAI2026-02-24

This page lists every published CVE security advisory associated with craftcms. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.