Package impact

Packagist / craftcms/cms

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Published	Description	Impact
CVE-2026-44012	high	—	8.0	21d ago	Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
CVE-2026-44011	high	—	8.0	21d ago	Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
CVE-2026-44010	high	—	8.0	21d ago	Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
CVE-2017-8384	medium	6.1	6.1	9y ago	Craft CMS XSS Vulnerability
CVE-2017-8052	medium	6.1	6.1	9y ago	Craft CMS XSS Vulnerability
CVE-2026-31859	medium	—	5.5	3mo ago	CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
CVE-2017-9516	medium	5.4	5.4	9y ago	Craft CMS XSS Vulnerability
CVE-2017-8385	medium	5.3	5.3	9y ago	Craft CMS subject to URL forgery
CVE-2017-8383	medium	5.3	5.3	9y ago	Craft CMS Unauthorized View
CVE-2025-35939	unknown	—	1.5	1y ago	Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a…
CVE-2025-32432	unknown	—	1.5	1y ago	Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
CVE-2025-23209	unknown	—	1.5	1y ago	Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
CVE-2024-56145	unknown	—	1.5	2y ago	Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
CVE-2026-41130	unknown	—	—	1mo ago	Craft CMS has a host header injection leading to SSRF via resource-js endpoint
CVE-2026-41129	unknown	—	—	1mo ago	Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
CVE-2026-41128	unknown	—	—	1mo ago	Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
CVE-2026-33162	unknown	—	—	2mo ago	Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
CVE-2026-33161	unknown	—	—	2mo ago	Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
CVE-2026-33160	unknown	—	—	2mo ago	Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
CVE-2026-33159	unknown	—	—	2mo ago	Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
CVE-2026-33158	unknown	—	—	2mo ago	Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
CVE-2026-33157	unknown	—	—	2mo ago	Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
CVE-2026-33051	unknown	—	—	2mo ago	Craft CMS Vulnerable to Stored XSS in Revision Context Menu
CVE-2026-32267	unknown	—	—	2mo ago	Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
CVE-2026-32264	unknown	—	—	2mo ago	Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
CVE-2026-32263	unknown	—	—	2mo ago	Craft CMS vulnerable to behavior injection RCE via EntryTypesController
CVE-2026-32262	unknown	—	—	2mo ago	Craft CMS has a Path Traversal Vulnerability in AssetsController
CVE-2026-31857	unknown	—	—	3mo ago	CraftCMS has an RCE vulnerability via relational conditionals in the control panel
CVE-2026-31858	unknown	—	—	3mo ago	CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
CVE-2026-29113	unknown	—	—	3mo ago	Craft CMS has a potential information disclosure vulnerability in preview tokens
CVE-2026-29069	unknown	—	—	3mo ago	Craft CMS has unauthenticated activation email trigger with potential user enumeration
CVE-2026-28784	unknown	—	—	3mo ago	Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
CVE-2026-28782	unknown	—	—	3mo ago	Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
CVE-2026-28783	unknown	—	—	3mo ago	Craft CMS has Twig Function Blocklist Bypass
CVE-2026-28781	unknown	—	—	3mo ago	Craft CMS: Entries Authorship Spoofing via Mass Assignment
CVE-2026-28697	unknown	—	—	3mo ago	Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
CVE-2026-28696	unknown	—	—	3mo ago	Craft CMS has IDOR via GraphQL @parseRefs
CVE-2026-28695	unknown	—	—	3mo ago	Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
CVE-2026-27129	unknown	—	—	3mo ago	Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
CVE-2026-27128	unknown	—	—	3mo ago	Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
CVE-2026-27127	unknown	—	—	3mo ago	Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
CVE-2026-27126	unknown	—	—	3mo ago	Craft CMS has Stored XSS in Table Field via "HTML" Column Type
CVE-2026-25498	unknown	—	—	4mo ago	Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
CVE-2026-25497	unknown	—	—	4mo ago	Craft CMS: GraphQL Asset Mutation Privilege Escalation
CVE-2026-25496	unknown	—	—	4mo ago	Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
CVE-2026-25495	unknown	—	—	4mo ago	Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
CVE-2026-25494	unknown	—	—	4mo ago	Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
CVE-2026-25493	unknown	—	—	4mo ago	Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
CVE-2026-25491	unknown	—	—	4mo ago	Craft CMS Vulnerable to Stored XSS in Entry Types Name
CVE-2025-68455	unknown	—	—	5mo ago	Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
CVE-2025-68456	unknown	—	—	5mo ago	Unauthenticated Craft CMS users can trigger a database backup
CVE-2025-68454	unknown	—	—	5mo ago	Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
CVE-2025-68437	unknown	—	—	5mo ago	Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
CVE-2025-68436	unknown	—	—	5mo ago	Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
CVE-2025-57811	unknown	—	—	9mo ago	Craft CMS Potential Remote Code Execution via Twig SSTI
CVE-2025-54417	unknown	—	—	10mo ago	Craft CMS has a theoretical bypass for CVE-2025-23209
CVE-2025-46731	unknown	—	—	1y ago	Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
CVE-2024-52293	unknown	—	—	2y ago	Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
CVE-2024-52292	unknown	—	—	2y ago	Craft CMS Arbitrary System File Read
CVE-2024-52291	unknown	—	—	2y ago	Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
CVE-2024-45406	unknown	—	—	2y ago	Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
CVE-2024-41800	unknown	—	—	2y ago	Craft CMS Allows TOTP Token To Stay Valid After Use
CVE-2024-37843	unknown	—	—	2y ago	Craft CMS SQL injection vulnerability via the GraphQL API endpoint
CVE-2023-36260	unknown	—	—	2y ago	Craft CMS Feed-Me
CVE-2024-21622	unknown	—	—	2y ago	Craft CMS Privilege Escalation
CVE-2023-41892	unknown	—	—	3y ago	Craft CMS Remote Code Execution vulnerability
CVE-2023-40035	unknown	—	—	3y ago	Craft CMS vulnerable to Remote Code Execution via validatePath bypass
CVE-2023-33495	unknown	—	—	3y ago	Craft CMS vulnerable to HTML injection
CVE-2023-2817	unknown	—	—	3y ago	Stored cross site scripting in Craft CMS
CVE-2023-33197	unknown	—	—	3y ago	Craft CMS stored XSS in indexedVolumes
CVE-2023-33196	unknown	—	—	3y ago	Craft CMS stored XSS in review volume
CVE-2023-33195	unknown	—	—	3y ago	Craft CMS XSS in RSS widget feed
CVE-2023-33194	unknown	—	—	3y ago	CraftCMS stored XSS in Quick Post widget error message
CVE-2023-32679	unknown	—	—	3y ago	Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
CVE-2023-30130	unknown	—	—	3y ago	CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
CVE-2023-31144	unknown	—	—	3y ago	craftcms/cms vulnerable to cross site scripting in RSS feed widget
CVE-2023-30177	unknown	—	—	3y ago	Cross Site Scripting in CraftCMS
CVE-2023-23927	unknown	—	—	3y ago	Craft CMS Stored Cross-site Scripting Injection Vulnerability
CVE-2022-37783	unknown	—	—	4y ago	Craft CMS discloses password hashes
CVE-2022-37246	unknown	—	—	4y ago	Craft CMS Cross-site Scripting vulnerability
CVE-2022-37250	unknown	—	—	4y ago	Craft CMS Stored Cross-site Scripting in User Addresses Title
CVE-2022-37248	unknown	—	—	4y ago	Craft CMS Cross site Scripting vulnerability
CVE-2022-37251	unknown	—	—	4y ago	Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts
CVE-2022-37247	unknown	—	—	4y ago	Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page
CVE-2020-19626	unknown	—	—	4y ago	Craft CMS Cross-site Scripting Vulnerability
CVE-2019-15929	unknown	—	—	4y ago	Craft CMS possibility of brute force attempts
CVE-2019-17496	unknown	—	—	4y ago	Craft CMS XSS Vulnerability
CVE-2019-12823	unknown	—	—	4y ago	Craft CMS XSS Vulnerability
CVE-2018-20418	unknown	—	—	4y ago	Craft CMS Cross-site Scripting (XSS) Vulnerability
CVE-2018-20465	unknown	—	—	4y ago	Craft CMS Vulnerable to Server-Side Template Injection
CVE-2018-3814	unknown	—	—	4y ago	Craft CMS PHP Code Injection Vulnerability
CVE-2022-29933	unknown	—	—	4y ago	Improper account password reset in Craft CMS
CVE-2022-28378	unknown	—	—	4y ago	Cross-site Scripting in craftcms/cms
CVE-2021-32470	unknown	—	—	4y ago	Craft CMS Cross-site Scripting Vulnerability
CVE-2021-41824	unknown	—	—	5y ago	CSV Injection Vulnerability
CVE-2021-27903	unknown	—	—	5y ago	Craft CMS Remote Code Injection
CVE-2021-27902	unknown	—	—	5y ago	Craft CMS Cross-site Scripting Vulnerability