pkg:Packagist/craftcms/cms

97 total CVEsCRITICAL6HIGH13MEDIUM29LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2025-32432⚠ KEVCraft CMS Allows Remote Code Execution
    >= 3.0.0-RC1, < 3.9.15
  • CRITICAL9.8CVE-2024-56145⚠ KEVCraft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
    >= 5.0.0-RC1, < 5.5.2
  • HIGH8.0CVE-2025-23209⚠ KEVCraft CMS has a potential RCE with a compromised security key
    >= 5.0.0-RC1, < 5.5.8
  • MEDIUM5.3CVE-2025-35939⚠ KEVCraft CMS stores arbitrary content provided by unauthenticated users in session files
    >= 5.0.0-alpha.1, < 5.7.5
  • CRITICAL10.0CVE-2023-41892Craft CMS Remote Code Execution vulnerability
    >= 4.0.0-RC1, < 4.4.15
  • CRITICAL9.8CVE-2024-37843Craft CMS SQL injection vulnerability via the GraphQL API endpoint
    from 0, <= 3.7.31
  • CRITICAL9.8CVE-2019-15929Craft CMS possibility of brute force attempts
    from 0, < 3.1.7
  • CRITICAL9.8CVE-2021-27903Craft CMS Remote Code Injection
    from 0, < 3.6.7
  • HIGH8.8CVE-2023-30130CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
    from 0, <= 3.8.1
  • HIGH8.8CVE-2018-3814Craft CMS PHP Code Injection Vulnerability
    from 0, <= 2.6.3000
  • HIGH8.8CVE-2022-29933Improper account password reset in Craft CMS
    from 0, < 3.7.36
  • HIGH8.8CVE-2021-41824CSV Injection Vulnerability
    >= 3.4.0, < 3.7.14
  • HIGH8.4CVE-2024-52291Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
    >= 5.0.0-RC1, < 5.4.6
  • HIGH7.7CVE-2024-52292Craft CMS Arbitrary System File Read
    >= 5.0.0-alpha.1, < 5.4.9
  • HIGH7.5CVE-2023-36260Craft CMS Feed-Me
    from 0, < 4.6.2
  • HIGH7.5CVE-2022-37783Craft CMS discloses password hashes
    >= 3.0.0, < 3.7.33
  • HIGH7.2CVE-2024-52293Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
    >= 4.0.0-RC1, < 4.12.2
  • HIGH7.2CVE-2023-40035Craft CMS vulnerable to Remote Code Execution via validatePath bypass
    >= 4.0.0-RC1, < 4.4.15
  • HIGH7.2CVE-2023-32679Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
    >= 4.0.0, < 4.4.6
  • HIGH7.2CVE-2018-20465Craft CMS Vulnerable to Server-Side Template Injection
    from 0, <= 3.0.34
  • MEDIUM6.1CVE-2023-33495Craft CMS vulnerable to HTML injection
    from 0, <= 4.4.9
  • MEDIUM6.1CVE-2023-33195Craft CMS XSS in RSS widget feed
    >= 4.3.0, < 4.4.6
  • MEDIUM6.1CVE-2023-31144craftcms/cms vulnerable to cross site scripting in RSS feed widget
    >= 3.0.0, < 3.8.4
  • MEDIUM6.1CVE-2023-30177Cross Site Scripting in CraftCMS
    from 0, < 3.7.68
  • MEDIUM6.1CVE-2023-23927Craft CMS Stored Cross-site Scripting Injection Vulnerability
    >= 4.0.0-RC1, < 4.3.7
  • MEDIUM6.1CVE-2019-17496Craft CMS XSS Vulnerability
    from 0, < 3.3.8
  • MEDIUM6.1CVE-2019-12823Craft CMS XSS Vulnerability
    from 0, < 3.1.31
  • MEDIUM6.1CVE-2017-8052Craft CMS XSS Vulnerability
    from 0, < 2.6.2974
  • MEDIUM6.1CVE-2017-8384Craft CMS XSS Vulnerability
    from 0, < 2.6.2976
  • MEDIUM6.1CVE-2022-28378Cross-site Scripting in craftcms/cms
    from 0, < 3.7.29
  • MEDIUM6.1CVE-2021-32470Craft CMS Cross-site Scripting Vulnerability
    from 0, < 3.6.13
  • MEDIUM6.1CVE-2021-27902Craft CMS Cross-site Scripting Vulnerability
    from 0, < 3.6.0
  • MEDIUM5.5CVE-2024-45406Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
    >= 5.0.0, < 5.1.2
  • MEDIUM5.5CVE-2023-33197Craft CMS stored XSS in indexedVolumes
    >= 4.0.0-RC1, < 4.4.6
  • MEDIUM5.5CVE-2023-33196Craft CMS stored XSS in review volume
    >= 4.0.0-RC1, < 4.4.7
  • MEDIUM5.4CVE-2024-21622Craft CMS Privilege Escalation
    >= 4.0.0-RC1, < 4.5.11
  • MEDIUM5.4CVE-2023-2817Stored cross site scripting in Craft CMS
    >= 4.0.0-RC1, < 4.4.12
  • MEDIUM5.4CVE-2022-37246Craft CMS Cross-site Scripting vulnerability
    >= 4.0.0-RC1, < 4.2.1
  • MEDIUM5.4CVE-2022-37250Craft CMS Stored Cross-site Scripting in User Addresses Title
    >= 4.0.0-RC1, < 4.2.1
  • MEDIUM5.4CVE-2022-37248Craft CMS Cross site Scripting vulnerability
    >= 4.0.0-RC1, < 4.2.1
  • MEDIUM5.4CVE-2022-37251Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts
    >= 3.7.0-beta.1, < 3.7.55.2
  • MEDIUM5.4CVE-2022-37247Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page
    >= 4.0.0-RC1, < 4.2.1
  • MEDIUM5.4CVE-2020-19626Craft CMS Cross-site Scripting Vulnerability
    from 0, < 3.1.33
  • MEDIUM5.4CVE-2017-9516Craft CMS XSS Vulnerability
    from 0, < 2.6.2982
  • MEDIUM5.3CVE-2017-8385Craft CMS subject to URL forgery
    from 0, < 2.6.2976
  • MEDIUM5.3CVE-2017-8383Craft CMS Unauthorized View
    from 0, < 2.6.2976
  • MEDIUM4.8CVE-2024-41800Craft CMS Allows TOTP Token To Stay Valid After Use
    >= 5.0.0-beta.1, < 5.2.3
  • MEDIUM4.8CVE-2018-20418Craft CMS Cross-site Scripting (XSS) Vulnerability
    from 0, <= 3.0.25
  • LOW3.7CVE-2023-33194CraftCMS stored XSS in Quick Post widget error message
    >= 4.0.0-RC1, < 4.4.6
  • CVE-2026-44012Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
    >= 5.0.0-RC1, < 5.9.18
  • CVE-2026-44011Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
    >= 4.0.0, < 4.17.12
  • CVE-2026-44010Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
    >= 5.0.0, < 5.9.18
  • CVE-2026-41130Craft CMS has a host header injection leading to SSRF via resource-js endpoint
    >= 5.0.0-RC1, < 5.9.15
  • CVE-2026-41129Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
    >= 5.0.0-RC1, < 5.9.15
  • CVE-2026-41128Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
    >= 5.6.0, < 5.9.15
  • CVE-2026-33162Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
    >= 5.3.0, < 5.9.14
  • CVE-2026-33161Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
    >= 5.0.0-RC1, < 5.9.14
  • CVE-2026-33160Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
    >= 5.0.0-RC1, < 5.9.14
  • CVE-2026-33159Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
    >= 5.0.0-RC1, < 5.9.14
  • CVE-2026-33158Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
    >= 4.0.0-RC1, < 4.17.8
  • CVE-2026-33157Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
    >= 5.6.0, < 5.9.13
  • CVE-2026-33051Craft CMS Vulnerable to Stored XSS in Revision Context Menu
    >= 5.9.0-beta.1, < 5.9.11
  • CVE-2026-32267Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
    >= 4.0.0-RC1, < 4.17.6
  • CVE-2026-32264Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
    >= 4.0.0-RC1, < 4.17.5
  • CVE-2026-32263Craft CMS vulnerable to behavior injection RCE via EntryTypesController
    >= 5.6.0, < 5.9.11
  • CVE-2026-32262Craft CMS has a Path Traversal Vulnerability in AssetsController
    >= 4.0.0-RC1, < 4.17.5
  • CVE-2026-31857CraftCMS has an RCE vulnerability via relational conditionals in the control panel
    >= 5.0.0-RC1, < 5.9.9
  • CVE-2026-31858CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
    >= 5.0.0-RC1, < 5.9.9
  • CVE-2026-31859CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
    >= 4.15.3, < 4.17.3
  • CVE-2026-29113Craft CMS has a potential information disclosure vulnerability in preview tokens
    >= 4.0.0-RC1, < 4.17.4
  • CVE-2026-29069Craft CMS has unauthenticated activation email trigger with potential user enumeration
    >= 5.0.0-RC1, < 5.9.0-beta.2
  • CVE-2026-28784Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-28782Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-28783Craft CMS has Twig Function Blocklist Bypass
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-28781Craft CMS: Entries Authorship Spoofing via Mass Assignment
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-28697Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-28696Craft CMS has IDOR via GraphQL @parseRefs
    >= 4.0.0-RC1, < 4.17.0-beta.1
  • CVE-2026-28695Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
    >= 5.8.7, < 5.9.0-beta.1
  • CVE-2026-27129Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
    >= 5.0.0-RC1, < 5.8.23
  • CVE-2026-27128Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
    >= 4.5.0-RC1, < 4.16.19
  • CVE-2026-27127Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
    >= 5.0.0-RC1, < 5.8.23
  • CVE-2026-27126Craft CMS has Stored XSS in Table Field via "HTML" Column Type
    >= 4.5.0-RC1, < 4.16.19
  • CVE-2026-25498Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2026-25497Craft CMS: GraphQL Asset Mutation Privilege Escalation
    >= 5.0.0-RC1, < 5.9.0-beta.1
  • CVE-2026-25496Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2026-25495Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2026-25494Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2026-25493Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2026-25491Craft CMS Vulnerable to Stored XSS in Entry Types Name
    >= 5.0.0-RC1, < 5.8.22
  • CVE-2025-68455Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
    >= 5.0.0-RC1, < 5.8.21
  • CVE-2025-68456Unauthenticated Craft CMS users can trigger a database backup
    >= 5.0.0-RC1, < 5.8.21
  • CVE-2025-68454Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
    >= 5.0.0-RC1, < 5.8.21
  • CVE-2025-68437Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
    >= 5.0.0-RC1, < 5.8.21
  • CVE-2025-68436Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
    >= 5.0.0-RC1, < 5.8.21
  • CVE-2025-57811Craft CMS Potential Remote Code Execution via Twig SSTI
    >= 4.0.0-RC1, < 4.16.6
  • CVE-2025-54417Craft CMS has a theoretical bypass for CVE-2025-23209
    >= 4.13.8, < 4.16.3
  • CVE-2025-46731Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
    >= 4.0.0-RC1, < 4.14.13