CVE-2025-68455HIGHCVSS 7.2EG 7.2✓ Fixed in 5.8.21

vulnerable: 5.0.0 ... 5.8.9 (142 versions)

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must…

CVE-2025-68456CRITICALCVSS 9.1EG 9.1✓ Fixed in 5.8.21

2026-01-05

vulnerable: 5.0.0 ... 5.8.9 (142 versions)

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource…

CVE-2026-25491MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is not sanitized when displayed in the Entry Types list. This vulnerability is fixed in 5.8.22.

CVE-2026-25493MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzz…

CVE-2026-25494MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP address…

CVE-2026-25495HIGHCVSS 8.8EG 8.8✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (J…

CVE-2026-25496MEDIUMCVSS 4.8EG 4.8✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered …

CVE-2026-25497HIGHCVSS 8.8EG 8.8✓ Fixed in 5.9.0-beta.1

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (145 versions)

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user w…

CVE-2026-25498HIGHCVSS 7.2EG 7.2✓ Fixed in 5.8.22

2026-02-09

vulnerable: 5.0.0 ... 5.8.9 (143 versions)

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/se…

CVE-2026-31859MEDIUMCVSS 0.0EG 0.0✓ Fixed in 4.17.3

2026-03-11

vulnerable: 4.15.3 ... 4.17.2 (34 versions)

CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization ### Summary The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored i…

CVE-2026-41128MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.9.15

2026-04-22

vulnerable: 5.6.0 ... 5.9.9 (84 versions)

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups(…

CVE-2026-41129MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.17.9

2026-04-22

vulnerable: 4.0.0 ... 4.9.7 (240 versions)

Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the use…

CVE-2026-41130MEDIUMCVSS 5.5EG 5.5✓ Fixed in 4.17.9

2026-04-22

vulnerable: 4.0.0 ... 4.9.7 (240 versions)

Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. …

CVE-2026-44010HIGHCVSS 7.1EG 7.1✓ Fixed in 4.17.12

2026-05-12

vulnerable: 4.0.0 ... 4.9.7 (240 versions)

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API t…

CVE-2026-44011HIGHCVSS 8.6EG 8.6✓ Fixed in 5.9.18

2026-05-12

vulnerable: 5.0.0 ... 5.9.9 (164 versions)

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execu…

CVE-2026-44012HIGHCVSS 7.1EG 7.1✓ Fixed in 5.9.18

2026-05-12

vulnerable: 5.0.0 ... 5.9.9 (165 versions)

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, fol…

craftcms/cms

CVEs affecting craftcms/cmspage 2 of 2

Check whether craftcms/cms is used in your infrastructure