pkg:Packagist/craftcms/cms

所有已知漏洞

• CRITICAL10.0CVE-2025-32432⚠ KEVCraft CMS Allows Remote Code Execution
  >= 3.0.0-RC1, < 3.9.15
• CRITICAL9.8CVE-2024-56145⚠ KEVCraft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
  >= 5.0.0-RC1, < 5.5.2
• HIGH8.0⚠ KEVCraft CMS has a potential RCE with a compromised security key
  >= 5.0.0-RC1, < 5.5.8
• MEDIUM5.3⚠ KEVCraft CMS stores arbitrary content provided by unauthenticated users in session files
  >= 5.0.0-alpha.1, < 5.7.5
• CRITICAL10.0Craft CMS Remote Code Execution vulnerability
  >= 4.0.0-RC1, < 4.4.15
• CRITICAL9.8Craft CMS SQL injection vulnerability via the GraphQL API endpoint
  from 0, <= 3.7.31
• CRITICAL9.8Craft CMS possibility of brute force attempts
  from 0, < 3.1.7
• CRITICAL9.8Craft CMS Remote Code Injection
  from 0, < 3.6.7
• HIGH8.8CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
  from 0, <= 3.8.1
• HIGH8.8Craft CMS PHP Code Injection Vulnerability
  from 0, <= 2.6.3000
• HIGH8.8Improper account password reset in Craft CMS
  from 0, < 3.7.36
• HIGH8.8CSV Injection Vulnerability
  >= 3.4.0, < 3.7.14
• HIGH8.4Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
  >= 5.0.0-RC1, < 5.4.6
• HIGH7.7Craft CMS Arbitrary System File Read
  >= 5.0.0-alpha.1, < 5.4.9
• HIGH7.5Craft CMS Feed-Me
  from 0, < 4.6.2
• HIGH7.5Craft CMS discloses password hashes
  >= 3.0.0, < 3.7.33
• HIGH7.2Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
  >= 4.0.0-RC1, < 4.12.2
• HIGH7.2Craft CMS vulnerable to Remote Code Execution via validatePath bypass
  >= 4.0.0-RC1, < 4.4.15
• HIGH7.2Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
  >= 4.0.0, < 4.4.6
• HIGH7.2Craft CMS Vulnerable to Server-Side Template Injection
  from 0, <= 3.0.34
• MEDIUM6.1Craft CMS vulnerable to HTML injection
  from 0, <= 4.4.9
• MEDIUM6.1Craft CMS XSS in RSS widget feed
  >= 4.3.0, < 4.4.6
• MEDIUM6.1craftcms/cms vulnerable to cross site scripting in RSS feed widget
  >= 3.0.0, < 3.8.4
• MEDIUM6.1Cross Site Scripting in CraftCMS
  from 0, < 3.7.68
• MEDIUM6.1Craft CMS Stored Cross-site Scripting Injection Vulnerability
  >= 4.0.0-RC1, < 4.3.7
• MEDIUM6.1Craft CMS XSS Vulnerability
  from 0, < 3.3.8
• MEDIUM6.1Craft CMS XSS Vulnerability
  from 0, < 3.1.31
• MEDIUM6.1Craft CMS XSS Vulnerability
  from 0, < 2.6.2974
• MEDIUM6.1Craft CMS XSS Vulnerability
  from 0, < 2.6.2976
• MEDIUM6.1Cross-site Scripting in craftcms/cms
  from 0, < 3.7.29
• MEDIUM6.1Craft CMS Cross-site Scripting Vulnerability
  from 0, < 3.6.13
• MEDIUM6.1Craft CMS Cross-site Scripting Vulnerability
  from 0, < 3.6.0
• MEDIUM5.5Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
  >= 5.0.0, < 5.1.2
• MEDIUM5.5Craft CMS stored XSS in indexedVolumes
  >= 4.0.0-RC1, < 4.4.6
• MEDIUM5.5Craft CMS stored XSS in review volume
  >= 4.0.0-RC1, < 4.4.7
• MEDIUM5.4Craft CMS Privilege Escalation
  >= 4.0.0-RC1, < 4.5.11
• MEDIUM5.4Stored cross site scripting in Craft CMS
  >= 4.0.0-RC1, < 4.4.12
• MEDIUM5.4Craft CMS Cross-site Scripting vulnerability
  >= 4.0.0-RC1, < 4.2.1
• MEDIUM5.4Craft CMS Stored Cross-site Scripting in User Addresses Title
  >= 4.0.0-RC1, < 4.2.1
• MEDIUM5.4Craft CMS Cross site Scripting vulnerability
  >= 4.0.0-RC1, < 4.2.1
• MEDIUM5.4Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts
  >= 3.7.0-beta.1, < 3.7.55.2
• MEDIUM5.4Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page
  >= 4.0.0-RC1, < 4.2.1
• MEDIUM5.4Craft CMS Cross-site Scripting Vulnerability
  from 0, < 3.1.33
• MEDIUM5.4Craft CMS XSS Vulnerability
  from 0, < 2.6.2982
• MEDIUM5.3Craft CMS subject to URL forgery
  from 0, < 2.6.2976
• MEDIUM5.3Craft CMS Unauthorized View
  from 0, < 2.6.2976
• MEDIUM4.8Craft CMS Allows TOTP Token To Stay Valid After Use
  >= 5.0.0-beta.1, < 5.2.3
• MEDIUM4.8Craft CMS Cross-site Scripting (XSS) Vulnerability
  from 0, <= 3.0.25
• LOW3.7CraftCMS stored XSS in Quick Post widget error message
  >= 4.0.0-RC1, < 4.4.6
• —Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
  >= 5.0.0-RC1, < 5.9.18
• —Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
  >= 4.0.0, < 4.17.12
• —Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
  >= 5.0.0, < 5.9.18
• —Craft CMS has a host header injection leading to SSRF via resource-js endpoint
  >= 5.0.0-RC1, < 5.9.15
• —Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
  >= 5.0.0-RC1, < 5.9.15
• —Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
  >= 5.6.0, < 5.9.15
• —Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
  >= 5.3.0, < 5.9.14
• —Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
  >= 5.0.0-RC1, < 5.9.14
• —Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
  >= 5.0.0-RC1, < 5.9.14
• —Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
  >= 5.0.0-RC1, < 5.9.14
• —Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
  >= 4.0.0-RC1, < 4.17.8
• —Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
  >= 5.6.0, < 5.9.13
• —Craft CMS Vulnerable to Stored XSS in Revision Context Menu
  >= 5.9.0-beta.1, < 5.9.11
• —Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
  >= 4.0.0-RC1, < 4.17.6
• —Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
  >= 4.0.0-RC1, < 4.17.5
• —Craft CMS vulnerable to behavior injection RCE via EntryTypesController
  >= 5.6.0, < 5.9.11
• —Craft CMS has a Path Traversal Vulnerability in AssetsController
  >= 4.0.0-RC1, < 4.17.5
• —CraftCMS has an RCE vulnerability via relational conditionals in the control panel
  >= 5.0.0-RC1, < 5.9.9
• —CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
  >= 5.0.0-RC1, < 5.9.9
• —CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
  >= 4.15.3, < 4.17.3
• —Craft CMS has a potential information disclosure vulnerability in preview tokens
  >= 4.0.0-RC1, < 4.17.4
• —Craft CMS has unauthenticated activation email trigger with potential user enumeration
  >= 5.0.0-RC1, < 5.9.0-beta.2
• —Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS has Twig Function Blocklist Bypass
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS: Entries Authorship Spoofing via Mass Assignment
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS has IDOR via GraphQL @parseRefs
  >= 4.0.0-RC1, < 4.17.0-beta.1
• —Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
  >= 5.8.7, < 5.9.0-beta.1
• —Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
  >= 5.0.0-RC1, < 5.8.23
• —Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
  >= 4.5.0-RC1, < 4.16.19
• —Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
  >= 5.0.0-RC1, < 5.8.23
• —Craft CMS has Stored XSS in Table Field via "HTML" Column Type
  >= 4.5.0-RC1, < 4.16.19
• —Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS: GraphQL Asset Mutation Privilege Escalation
  >= 5.0.0-RC1, < 5.9.0-beta.1
• —Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS Vulnerable to Stored XSS in Entry Types Name
  >= 5.0.0-RC1, < 5.8.22
• —Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
  >= 5.0.0-RC1, < 5.8.21
• —Unauthenticated Craft CMS users can trigger a database backup
  >= 5.0.0-RC1, < 5.8.21
• —Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
  >= 5.0.0-RC1, < 5.8.21
• —Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
  >= 5.0.0-RC1, < 5.8.21
• —Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
  >= 5.0.0-RC1, < 5.8.21
• —Craft CMS Potential Remote Code Execution via Twig SSTI
  >= 4.0.0-RC1, < 4.16.6
• —Craft CMS has a theoretical bypass for CVE-2025-23209
  >= 4.13.8, < 4.16.3
• —Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
  >= 4.0.0-RC1, < 4.14.13