Craft Cms
Monthly
Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.
SQL injection in Craft CMS ElementSearchController allows authenticated control panel users to execute arbitrary SQL queries and extract complete database contents through the criteria[where] and criteria[orderBy] parameters. The vulnerability exists because a previous SQL injection fix applied to ElementIndexesController was never implemented in this endpoint. An attacker with any control panel user account can exploit this via boolean-based blind injection without requiring administrative privileges.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Unauthenticated attackers can generate preview tokens in Craft CMS versions prior to 4.17.4 and 5.9.7 by exploiting a CSRF vulnerability in the /actions/preview/create-token endpoint, which lacks proper token validation and HTTP method restrictions. An attacker can force a logged-in editor to create an attacker-controlled preview token that grants unauthorized access to unpublished content. This attack requires user interaction but allows the attacker to view sensitive content without authentication.
Unauthenticated attackers can trigger activation emails for pending user accounts in Craft CMS versions prior to 5.9.0-beta.2 and 4.17.0-beta.2 by exploiting an unprotected endpoint that lacks permission checks. If an attacker controls the target user's email address, they can complete account activation and gain unauthorized system access. A patch is available in the latest beta versions.
Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. A patch is available and users should update immediately to mitigate this risk.
Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.
Craft CMS prior to versions 5.9.0-beta.1 and 4.17.0-beta.1 fails to properly authorize the "Duplicate" entry action, allowing authenticated users to bypass UI restrictions and duplicate entries via direct requests. An attacker with minimal "View Entries" permissions can exploit predictable, incremental Entry IDs to brute-force and duplicate other users' restricted content, gaining unauthorized access to sensitive data. Public exploit code exists for this vulnerability.
Craft CMS prior to versions 4.17.0-beta.1 and 5.9.0-beta.1 allows users with entry creation permissions to arbitrarily assign authorship of new entries to any user, including administrators, through mass assignment of the authorId parameter. Public exploit code exists for this vulnerability, enabling attackers to spoof entry authorship and manipulate content attribution. The vulnerability is fixed in the specified beta releases.
RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.
Craft is a content management system (CMS). [CVSS 7.5 HIGH]
Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.
Craft CMS versions 4.5.0 through 4.16.18 and 5.0.0 through 5.8.22 contain an SSRF bypass in GraphQL Asset mutations where IPv6-only hostnames bypass the security blocklist, allowing authenticated users with GraphQL asset editing permissions to perform server-side request forgery attacks. Public exploit code exists for this vulnerability, which is a regression of a previously patched SSRF issue. Authenticated users with appropriate GraphQL schema permissions can exploit this to access internal resources or perform requests to arbitrary IPv6 addresses.
Multiple usage tokens in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 can be consumed beyond their intended limits due to a race condition in token validation logic where usage checks and database updates are not atomic. An authenticated attacker with access to a valid impersonation token can exploit concurrent requests to bypass usage restrictions and reuse single-use tokens multiple times. Patches are available for affected versions.
DNS rebinding attacks in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allow authenticated attackers to bypass SSRF protections in GraphQL asset mutations by exploiting a Time-of-Check-Time-of-Use race condition between DNS validation and HTTP requests. Attackers with appropriate GraphQL schema permissions can access blocked IP addresses and internal resources that should be restricted. Public exploit code exists for this vulnerability, which represents a bypass of the previous CVE-2025-68437 fix.
Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.
Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]
Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. An attacker with limited asset write permissions can exploit this to gain unauthorized access to and manipulate sensitive assets in protected volumes.
Stored XSS in Craft CMS Number field settings (versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21) allows authenticated users with high privileges to inject malicious scripts via the Prefix or Suffix fields, which execute when the field is viewed on user profiles. Public exploit code exists for this vulnerability. Updates to versions 4.16.18 and 5.8.22 are available to remediate the issue.
SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel users to execute arbitrary SQL queries via the criteria[orderBy] parameter in the element-indexes/get-elements endpoint. The vulnerability stems from insufficient input sanitization in the ORDER BY clause, enabling attackers to manipulate database queries. Public exploit code exists for this high-severity vulnerability, and patches are available in versions 4.16.18 and 5.8.22.
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. [CVSS 6.5 MEDIUM]
SSRF bypass in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows unauthenticated attackers to access cloud metadata endpoints and internal IP addresses through the saveAsset GraphQL mutation by exploiting Guzzle's automatic redirect handling. The vulnerability bypasses hostname and IP blocklist protections that validate only the initial request URL, enabling attackers to reach sensitive internal resources. Public exploit code exists; patched versions 4.16.18 and 5.8.22 are available.
Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. Public exploit code exists for this vulnerability, though patches are available in versions 4.16.18 and 5.8.22.
Stored cross-site scripting in Craft CMS versions 5.0.0-RC1 through 5.8.21 allows authenticated users with high privileges to inject malicious scripts through Entry Type names that are not sanitized when displayed in the Entry Types list. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the browsers of other users viewing the affected list, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available in version 5.8.22 and later.
Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. [CVSS 7.2 HIGH]
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. [CVSS 8.8 HIGH]
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]
Craft is a platform for creating digital experiences. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity.
Craft is a platform for creating digital experiences. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 33.1%.
Craft is a content management system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity.
Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code on the server, actively exploited in the wild before patches were released.
Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server.
Craft is a content management system. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Reflected XSS in Craft CMS versions before 5.9.7 and 4.17.3 allows remote attackers to execute arbitrary JavaScript in users' browsers via malicious return URLs that bypass insufficient sanitization. The vulnerability exists because the patch for a prior issue relied on strip_tags() to filter URLs, which fails to block dangerous URL schemes like javascript:. An attacker can craft a malicious link that, when clicked by an authenticated user, steals session cookies or performs actions on their behalf.
SQL injection in Craft CMS ElementSearchController allows authenticated control panel users to execute arbitrary SQL queries and extract complete database contents through the criteria[where] and criteria[orderBy] parameters. The vulnerability exists because a previous SQL injection fix applied to ElementIndexesController was never implemented in this endpoint. An attacker with any control panel user account can exploit this via boolean-based blind injection without requiring administrative privileges.
Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. No patch is currently available for this HIGH severity vulnerability.
Unauthenticated attackers can generate preview tokens in Craft CMS versions prior to 4.17.4 and 5.9.7 by exploiting a CSRF vulnerability in the /actions/preview/create-token endpoint, which lacks proper token validation and HTTP method restrictions. An attacker can force a logged-in editor to create an attacker-controlled preview token that grants unauthorized access to unpublished content. This attack requires user interaction but allows the attacker to view sensitive content without authentication.
Unauthenticated attackers can trigger activation emails for pending user accounts in Craft CMS versions prior to 5.9.0-beta.2 and 4.17.0-beta.2 by exploiting an unprotected endpoint that lacks permission checks. If an attacker controls the target user's email address, they can complete account activation and gain unauthorized system access. A patch is available in the latest beta versions.
Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. A patch is available and users should update immediately to mitigate this risk.
Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.
Craft CMS prior to versions 5.9.0-beta.1 and 4.17.0-beta.1 fails to properly authorize the "Duplicate" entry action, allowing authenticated users to bypass UI restrictions and duplicate entries via direct requests. An attacker with minimal "View Entries" permissions can exploit predictable, incremental Entry IDs to brute-force and duplicate other users' restricted content, gaining unauthorized access to sensitive data. Public exploit code exists for this vulnerability.
Craft CMS prior to versions 4.17.0-beta.1 and 5.9.0-beta.1 allows users with entry creation permissions to arbitrarily assign authorship of new entries to any user, including administrators, through mass assignment of the authorId parameter. Public exploit code exists for this vulnerability, enabling attackers to spoof entry authorship and manipulate content attribution. The vulnerability is fixed in the specified beta releases.
RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch available.
Craft is a content management system (CMS). [CVSS 7.5 HIGH]
Remote code execution in Craft CMS 5.8.21 allows authenticated administrators to execute arbitrary PHP code through Server-Side Template Injection in the create() Twig function combined with Symfony Process gadget chains. Public exploit code exists for this vulnerability, which bypasses the previous patch for CVE-2025-57811. Updates are available in Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.
Craft CMS versions 4.5.0 through 4.16.18 and 5.0.0 through 5.8.22 contain an SSRF bypass in GraphQL Asset mutations where IPv6-only hostnames bypass the security blocklist, allowing authenticated users with GraphQL asset editing permissions to perform server-side request forgery attacks. Public exploit code exists for this vulnerability, which is a regression of a previously patched SSRF issue. Authenticated users with appropriate GraphQL schema permissions can exploit this to access internal resources or perform requests to arbitrary IPv6 addresses.
Multiple usage tokens in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 can be consumed beyond their intended limits due to a race condition in token validation logic where usage checks and database updates are not atomic. An authenticated attacker with access to a valid impersonation token can exploit concurrent requests to bypass usage restrictions and reuse single-use tokens multiple times. Patches are available for affected versions.
DNS rebinding attacks in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allow authenticated attackers to bypass SSRF protections in GraphQL asset mutations by exploiting a Time-of-Check-Time-of-Use race condition between DNS validation and HTTP requests. Attackers with appropriate GraphQL schema permissions can access blocked IP addresses and internal resources that should be restricted. Public exploit code exists for this vulnerability, which represents a bypass of the previous CVE-2025-68437 fix.
Stored XSS in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allows high-privileged administrators to inject malicious scripts into HTML-type table columns that execute in other users' browsers. Exploitation requires admin-level access and the `allowAdminChanges` setting enabled in production, limiting the risk to environments with already-compromised administrative accounts. Patches are available in versions 4.16.19 and 5.8.23.
Craft is a platform for creating digital experiences. [CVSS 7.2 HIGH]
Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. An attacker with limited asset write permissions can exploit this to gain unauthorized access to and manipulate sensitive assets in protected volumes.
Stored XSS in Craft CMS Number field settings (versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21) allows authenticated users with high privileges to inject malicious scripts via the Prefix or Suffix fields, which execute when the field is viewed on user profiles. Public exploit code exists for this vulnerability. Updates to versions 4.16.18 and 5.8.22 are available to remediate the issue.
SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel users to execute arbitrary SQL queries via the criteria[orderBy] parameter in the element-indexes/get-elements endpoint. The vulnerability stems from insufficient input sanitization in the ORDER BY clause, enabling attackers to manipulate database queries. Public exploit code exists for this high-severity vulnerability, and patches are available in versions 4.16.18 and 5.8.22.
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. [CVSS 6.5 MEDIUM]
SSRF bypass in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows unauthenticated attackers to access cloud metadata endpoints and internal IP addresses through the saveAsset GraphQL mutation by exploiting Guzzle's automatic redirect handling. The vulnerability bypasses hostname and IP blocklist protections that validate only the initial request URL, enabling attackers to reach sensitive internal resources. Public exploit code exists; patched versions 4.16.18 and 5.8.22 are available.
Craft CMS versions 3.5.0-4.16.17 and 5.0.0-RC1-5.8.21 contain a server-side request forgery vulnerability in the save_images_Asset GraphQL mutation that allows authenticated users to bypass hostname validation and retrieve internal URLs by specifying domains resolving to private IP addresses. By uploading files with non-image extensions like .txt, attackers can bypass downstream validation to access sensitive data including AWS instance metadata credentials from the host system. Public exploit code exists for this vulnerability, though patches are available in versions 4.16.18 and 5.8.22.
Stored cross-site scripting in Craft CMS versions 5.0.0-RC1 through 5.8.21 allows authenticated users with high privileges to inject malicious scripts through Entry Type names that are not sanitized when displayed in the Entry Types list. An attacker exploiting this vulnerability can execute arbitrary JavaScript in the browsers of other users viewing the affected list, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available in version 5.8.22 and later.
Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operations, leading to resource exhaustion or information disclosure if backups are stored in accessible locations. PoC available, patches available.
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. [CVSS 7.2 HIGH]
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. [CVSS 8.8 HIGH]
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). [CVSS 6.8 MEDIUM]
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. [CVSS 6.5 MEDIUM]
Craft is a platform for creating digital experiences. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity.
Craft is a platform for creating digital experiences. Rated medium severity (CVSS 5.2), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.
Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 33.1%.
Craft is a content management system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity.
Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauthenticated attackers to execute arbitrary code on the server, actively exploited in the wild before patches were released.
Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server.
Craft is a content management system. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.