Package impact
COMPOSER / craftcms/cms
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2026-44012 | high | — | 8.0 | 22d ago | Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure | |
| CVE-2026-44011 | high | — | 8.0 | 22d ago | Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior | |
| CVE-2026-44010 | high | — | 8.0 | 22d ago | Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure | |
| CVE-2026-31859 | medium | — | 5.5 | 3mo ago | CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization |