Skip to main content

Craftercms

4 CVEs product

Monthly

CVE-2025-6384 Maven CRITICAL PATCH Act Now

Critical Remote Code Execution vulnerability in CrafterCMS Crafter Studio that allows authenticated developers to bypass Groovy Sandbox restrictions and execute arbitrary OS commands through malicious Groovy code injection. This affects CrafterCMS versions 4.0.0 through 4.2.2, and while it requires high-privilege authentication (developer role), the ability to achieve RCE with high-impact consequences (confidentiality, integrity, and availability compromise across system boundaries) makes this a severe issue worthy of immediate patching.

RCE Craftercms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-0502 MEDIUM This Month

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Apple Craftercms Windows +1
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2023-4136 Maven MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.0.0 through. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Microsoft Craftercms
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2023-33194 PHP MEDIUM POC PATCH This Month

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Craft Cms Craftercms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Critical Remote Code Execution vulnerability in CrafterCMS Crafter Studio that allows authenticated developers to bypass Groovy Sandbox restrictions and execute arbitrary OS commands through malicious Groovy code injection. This affects CrafterCMS versions 4.0.0 through 4.2.2, and while it requires high-privilege authentication (developer role), the ability to achieve RCE with high-impact consequences (confidentiality, integrity, and availability compromise across system boundaries) makes this a severe issue worthy of immediate patching.

RCE Craftercms
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Apple +3
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.0.0 through. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Microsoft +1
NVD
EPSS 1% CVSS 4.8
MEDIUM POC PATCH This Month

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Craft Cms Craftercms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy