craftcms/cms
Packagist86 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting craftcms/cmspage 2 of 2
- CVE-2025-54417HIGHCVSS 8.8EG 8.8✓ Fixed in 5.8.42025-08-09
vulnerable: 5.5.10 ... 5.8.3 (48 versions)
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploi…
- CVE-2025-57811HIGHCVSS 7.2EG 7.2✓ Fixed in 5.8.72025-08-25
vulnerable: 5.0.0 ... 5.8.6 (126 versions)
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to…
- CVE-2025-68436MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.16.172026-01-05
vulnerable: 4.0.0 ... 4.9.7 (226 versions)
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo vi…
- CVE-2025-68437MEDIUMCVSS 6.8EG 6.8✓ Fixed in 4.16.172026-01-05
vulnerable: 3.5.0 ... 4.9.7 (429 versions)
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vu…
- CVE-2025-68454HIGHCVSS 8.8EG 8.8✓ Fixed in 4.16.172026-01-05
vulnerable: 4.0.0 ... 4.9.7 (226 versions)
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administ…
- CVE-2025-68455HIGHCVSS 7.2EG 7.2✓ Fixed in 4.16.172026-01-05
vulnerable: 4.0.0 ... 4.9.7 (226 versions)
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must…
- CVE-2025-68456CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.16.172026-01-05
vulnerable: 3.0.0 ... 4.9.7 (668 versions)
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource…
- CVE-2026-25491MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.8.222026-02-09
vulnerable: 5.0.0 ... 5.8.9 (143 versions)
Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.
- CVE-2026-25493MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.16.182026-02-09
vulnerable: 4.0.0 ... 4.9.7 (227 versions)
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzz…
- CVE-2026-25494MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.16.182026-02-09
vulnerable: 4.0.0 ... 4.9.7 (227 versions)
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP address…
- CVE-2026-25495HIGHCVSS 8.8EG 8.8✓ Fixed in 4.16.182026-02-09
vulnerable: 4.0.0 ... 4.9.7 (227 versions)
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (J…
- CVE-2026-25496MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.16.182026-02-09
vulnerable: 4.0.0 ... 4.9.7 (227 versions)
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered …
- CVE-2026-25497HIGHCVSS 8.8EG 8.8✓ Fixed in 4.17.0-beta.12026-02-09
vulnerable: 4.0.0 ... 4.9.7 (229 versions)
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user w…
- CVE-2026-25498HIGHCVSS 7.2EG 7.2✓ Fixed in 4.16.182026-02-09
vulnerable: 4.0.0 ... 4.9.7 (227 versions)
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/se…
- CVE-2026-31859MEDIUMCVSS 0.0EG 6.9✓ Fixed in 5.9.72026-03-11
vulnerable: 5.7.10 ... 5.9.6 (44 versions)
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization ### Summary The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored i…
- CVE-2026-41128MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.9.152026-04-22
vulnerable: 5.6.0 ... 5.9.9 (84 versions)
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups(…
- CVE-2026-41129MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.17.92026-04-22
vulnerable: 4.0.0 ... 4.9.7 (240 versions)
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the use…
- CVE-2026-41130MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.17.92026-04-22
vulnerable: 4.0.0 ... 4.9.7 (240 versions)
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. …
- CVE-2026-44010HIGHCVSS 7.1EG 7.1✓ Fixed in 4.17.122026-05-12
vulnerable: 4.0.0 ... 4.9.7 (240 versions)
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API t…
- CVE-2026-44011HIGHCVSS 8.6EG 8.6✓ Fixed in 5.9.182026-05-12
vulnerable: 5.0.0 ... 5.9.9 (164 versions)
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execu…
- CVE-2026-44012HIGHCVSS 7.1EG 7.1✓ Fixed in 5.9.182026-05-12
vulnerable: 5.0.0 ... 5.9.9 (165 versions)
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, fol…
- CVE-2026-50279HIGHCVSS 7.6EG 7.6✓ Fixed in 5.9.212026-07-02
vulnerable: 5.0.0 ... 5.9.9 (168 versions)
Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the mode…
- CVE-2026-50280MEDIUMCVSS 6.0EG 6.0✓ Fixed in 5.9.212026-07-02
vulnerable: 5.0.0 ... 5.9.9 (168 versions)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring sa…
- CVE-2026-50281HIGHCVSS 7.1EG 7.1✓ Fixed in 5.9.212026-07-02
vulnerable: 5.7.0 ... 5.9.9 (64 versions)
Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitr…
- CVE-2026-50282HIGHCVSS 0.0EG 0.0✓ Fixed in 5.9.212026-07-02
vulnerable: 5.0.0 ... 5.9.9 (168 versions)
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination del…
- CVE-2026-50284HIGHCVSS 7.1EG 7.1✓ Fixed in 5.9.222026-07-01
vulnerable: 5.0.0 ... 5.9.9 (169 versions)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It …
- CVE-2026-55790HIGHCVSS 7.4EG 7.4✓ Fixed in 5.9.232026-07-01
vulnerable: 5.0.0 ... 5.9.9 (170 versions)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin use…
- CVE-2026-55791MEDIUMCVSS 6.9EG 6.9✓ Fixed in 4.182026-06-19
vulnerable: 4.0.0 ... 4.9.7 (249 versions)
Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /a…
- CVE-2026-55792MEDIUMCVSS 6.0EG 6.0✓ Fixed in 4.18.02026-07-02
vulnerable: 4.0.0 ... 4.9.7 (249 versions)
Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any co…
- CVE-2026-55793MEDIUMCVSS 5.9EG 5.9✓ Fixed in 5.9.532026-07-01
vulnerable: 5.0.0 ... 5.9.9 (171 versions)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries …
- CVE-2026-56381MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.8.222026-06-21
vulnerable: 5.0.0 ... 5.8.9 (143 versions)
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScrip…
- CVE-2026-56383MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.16.192026-06-21
vulnerable: 4.10.0 ... 4.9.7 (147 versions)
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attac…
- CVE-2026-56384MEDIUMCVSS 4.3EG 4.3✓ Fixed in 4.17.82026-06-21
vulnerable: 4.0.0 ... 4.9.7 (239 versions)
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive pre…
- CVE-2026-56385MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.9.142026-06-21
vulnerable: 5.0.0 ... 5.9.9 (161 versions)
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing…
- CVE-2026-56393MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.9.0-beta.12026-06-21
vulnerable: 5.0.0 ... 5.8.9 (145 versions)
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the…
- CVE-2026-56394MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.17.72026-06-21
vulnerable: 4.0.0 ... 4.9.7 (238 versions)
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing t…
Check whether craftcms/cms is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for craftcms/cms CVEs against the assets you own.
Start Free Scan →