craftcms
Products: cms · commerce
81.1
Score
19
CVEs
2
Active
17
PoC
2
KEV
#28
Rank
Period:
Product:
| CVE ID | Published | CVSS | Exploit | KEV | AC | PR | Auto | Score(hover) | Affected Products | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2026-56382 | 2026-06-21 | 8.6v4.0 | POC | — | Low | High | no | 0.0 | cms | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseCo |
| CVE-2026-44010 | 2026-05-12 | 7.1v4.0 | POC | — | Low | Low | no | 0.0 | cms | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read eve |
| CVE-2026-44011 | 2026-05-12 | 8.6v4.0 | POC | — | Low | High | no | 0.0 | cms | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled c |
| CVE-2026-41130 | 2026-04-21 | 5.5v4.0 | POC | — | Low | High | YES | 0.0 | cms | Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default con |
| CVE-2026-33159 | 2026-03-24 | 6.9v4.0 | POC | — | Low | None | YES | 0.0 | cms | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-chang |
| CVE-2026-32267 | 2026-03-16 | 7.7v4.0 | POC | — | Low | Low | no | 0.0 | cms | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->act |
| CVE-2026-29172 | 2026-03-10 | 8.7v4.0 | POC | — | Low | Low | YES | 0.0 | commerce | Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist vali |
| CVE-2026-28697 | 2026-03-04 | 9.4v4.0 | POC | — | Low | High | no | 0.0 | cms | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.writ |
| CVE-2026-28781 | 2026-03-04 | 7.1v4.0 | POC | — | Low | Low | no | 0.0 | cms | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend pr |
| CVE-2026-28782 | 2026-03-04 | 5.3v4.0 | POC | — | Low | Low | no | 0.0 | cms | Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is rest |
| CVE-2026-27127 | 2026-02-24 | 7.0v4.0 | POC | — | High | Low | no | 0.0 | cms | Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebind |
| CVE-2025-68437 | 2026-01-05 | 5.0v4.0 | POC | — | Low | High | no | 0.0 | cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically it |
| CVE-2025-68455 | 2026-01-05 | 8.6v4.0 | POC | — | Low | High | no | 0.0 | cms | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for thi |
| CVE-2025-68456 | 2026-01-05 | 7.0v4.0 | POC | — | Low | None | no | 0.0 | cms | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to |
| CVE-2025-32432 | 2025-04-25 | 10.0v3.1 | ACTIVE | Low | None | YES | 40.6 | cms | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity att | |
| CVE-2024-56145 | 2024-12-18 | 9.3v4.0 | ACTIVE | Low | None | YES | 40.6 | cms | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. | |
| CVE-2024-52292 | 2024-11-13 | 7.7v3.1 | POC | — | Low | Low | no | 0.0 | cms | Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function wit |
| CVE-2024-52293 | 2024-11-13 | 7.2v3.1 | POC | — | Low | High | no | 0.0 | cms | Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3. |
| CVE-2023-40035 | 2023-08-23 | 7.2v3.1 | POC | — | Low | High | no | 0.0 | cms | Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only |
Each CVE: 10 pts base (Active only), boosted by:
KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3