VIR Vulnerability Intelligence Relay

Package impact

php Packagist / craftcms/cms

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-44012 high 8.0 28d ago Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
CVE-2026-44011 high 8.0 28d ago Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
CVE-2026-44010 high 8.0 28d ago Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
CVE-2017-9516 medium 5.4 6.4 9y ago Craft CMS XSS Vulnerability
CVE-2017-8384 medium 6.1 6.1 9y ago Craft CMS XSS Vulnerability
CVE-2017-8052 medium 6.1 6.1 9y ago Craft CMS XSS Vulnerability
CVE-2026-31859 medium 5.5 3mo ago CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
CVE-2017-8385 medium 5.3 5.3 9y ago Craft CMS subject to URL forgery
CVE-2017-8383 medium 5.3 5.3 9y ago Craft CMS Unauthorized View
CVE-2025-32432 unknown 2.5 1y ago Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
CVE-2024-56145 unknown 2.5 2y ago Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
CVE-2025-35939 unknown 1.5 1y ago Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a…
CVE-2025-23209 unknown 1.5 1y ago Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
CVE-2023-41892 unknown 1.0 3y ago Craft CMS Remote Code Execution vulnerability
CVE-2018-20418 unknown 1.0 4y ago Craft CMS Cross-site Scripting (XSS) Vulnerability
CVE-2026-41130 unknown 2mo ago Craft CMS has a host header injection leading to SSRF via resource-js endpoint
CVE-2026-41129 unknown 2mo ago Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
CVE-2026-41128 unknown 2mo ago Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
CVE-2026-33162 unknown 2mo ago Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
CVE-2026-33161 unknown 2mo ago Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
CVE-2026-33160 unknown 2mo ago Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
CVE-2026-33159 unknown 2mo ago Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
CVE-2026-33158 unknown 2mo ago Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
CVE-2026-33157 unknown 2mo ago Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
CVE-2026-33051 unknown 3mo ago Craft CMS Vulnerable to Stored XSS in Revision Context Menu
CVE-2026-32267 unknown 3mo ago Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
CVE-2026-32264 unknown 3mo ago Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
CVE-2026-32263 unknown 3mo ago Craft CMS vulnerable to behavior injection RCE via EntryTypesController
CVE-2026-32262 unknown 3mo ago Craft CMS has a Path Traversal Vulnerability in AssetsController
CVE-2026-31857 unknown 3mo ago CraftCMS has an RCE vulnerability via relational conditionals in the control panel
CVE-2026-31858 unknown 3mo ago CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
CVE-2026-29113 unknown 3mo ago Craft CMS has a potential information disclosure vulnerability in preview tokens
CVE-2026-29069 unknown 3mo ago Craft CMS has unauthenticated activation email trigger with potential user enumeration
CVE-2026-28784 unknown 3mo ago Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
CVE-2026-28782 unknown 3mo ago Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
CVE-2026-28783 unknown 3mo ago Craft CMS has Twig Function Blocklist Bypass
CVE-2026-28781 unknown 3mo ago Craft CMS: Entries Authorship Spoofing via Mass Assignment
CVE-2026-28697 unknown 3mo ago Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
CVE-2026-28696 unknown 3mo ago Craft CMS has IDOR via GraphQL @parseRefs
CVE-2026-28695 unknown 3mo ago Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
CVE-2026-27129 unknown 3mo ago Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
CVE-2026-27128 unknown 3mo ago Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
CVE-2026-27127 unknown 3mo ago Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
CVE-2026-27126 unknown 3mo ago Craft CMS has Stored XSS in Table Field via "HTML" Column Type
CVE-2026-25498 unknown 4mo ago Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
CVE-2026-25497 unknown 4mo ago Craft CMS: GraphQL Asset Mutation Privilege Escalation
CVE-2026-25496 unknown 4mo ago Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
CVE-2026-25495 unknown 4mo ago Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
CVE-2026-25494 unknown 4mo ago Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
CVE-2026-25493 unknown 4mo ago Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
CVE-2026-25491 unknown 4mo ago Craft CMS Vulnerable to Stored XSS in Entry Types Name
CVE-2025-68455 unknown 5mo ago Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
CVE-2025-68456 unknown 5mo ago Unauthenticated Craft CMS users can trigger a database backup
CVE-2025-68454 unknown 5mo ago Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
CVE-2025-68437 unknown 5mo ago Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
CVE-2025-68436 unknown 5mo ago Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
CVE-2025-57811 unknown 9mo ago Craft CMS Potential Remote Code Execution via Twig SSTI
CVE-2025-54417 unknown 10mo ago Craft CMS has a theoretical bypass for CVE-2025-23209
CVE-2025-46731 unknown 1y ago Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
CVE-2024-52293 unknown 2y ago Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
CVE-2024-52292 unknown 2y ago Craft CMS Arbitrary System File Read
CVE-2024-52291 unknown 2y ago Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
CVE-2024-45406 unknown 2y ago Craft CMS vulnerable to stored XSS in breadcrumb list and title fields
CVE-2024-41800 unknown 2y ago Craft CMS Allows TOTP Token To Stay Valid After Use
CVE-2024-37843 unknown 2y ago Craft CMS SQL injection vulnerability via the GraphQL API endpoint
CVE-2023-36260 unknown 2y ago Craft CMS Feed-Me
CVE-2024-21622 unknown 2y ago Craft CMS Privilege Escalation
CVE-2023-40035 unknown 3y ago Craft CMS vulnerable to Remote Code Execution via validatePath bypass
CVE-2023-33495 unknown 3y ago Craft CMS vulnerable to HTML injection
CVE-2023-2817 unknown 3y ago Stored cross site scripting in Craft CMS
CVE-2023-33197 unknown 3y ago Craft CMS stored XSS in indexedVolumes
CVE-2023-33196 unknown 3y ago Craft CMS stored XSS in review volume
CVE-2023-33195 unknown 3y ago Craft CMS XSS in RSS widget feed
CVE-2023-33194 unknown 3y ago CraftCMS stored XSS in Quick Post widget error message
CVE-2023-32679 unknown 3y ago Craft CMS vulnerable to Remote Code Execution via unrestricted file extension
CVE-2023-30130 unknown 3y ago CraftCMS allows remote attacker to execute arbitrary code via crafted script to Section parameter
CVE-2023-31144 unknown 3y ago craftcms/cms vulnerable to cross site scripting in RSS feed widget
CVE-2023-30177 unknown 3y ago Cross Site Scripting in CraftCMS
CVE-2023-23927 unknown 3y ago Craft CMS Stored Cross-site Scripting Injection Vulnerability
CVE-2022-37783 unknown 4y ago Craft CMS discloses password hashes
CVE-2022-37246 unknown 4y ago Craft CMS Cross-site Scripting vulnerability
CVE-2022-37248 unknown 4y ago Craft CMS Cross site Scripting vulnerability
CVE-2022-37250 unknown 4y ago Craft CMS Stored Cross-site Scripting in User Addresses Title
CVE-2022-37251 unknown 4y ago Craft CMS vulnerable to Cross-site Scripting via entry revisions and drafts
CVE-2022-37247 unknown 4y ago Craft CMS vulnerable to stored Cross-site Scripting via /admin/settings/fields page
CVE-2020-19626 unknown 4y ago Craft CMS Cross-site Scripting Vulnerability
CVE-2019-15929 unknown 4y ago Craft CMS possibility of brute force attempts
CVE-2019-17496 unknown 4y ago Craft CMS XSS Vulnerability
CVE-2019-12823 unknown 4y ago Craft CMS XSS Vulnerability
CVE-2018-20465 unknown 4y ago Craft CMS Vulnerable to Server-Side Template Injection
CVE-2018-3814 unknown 4y ago Craft CMS PHP Code Injection Vulnerability
CVE-2022-29933 unknown 4y ago Improper account password reset in Craft CMS
CVE-2022-28378 unknown 4y ago Cross-site Scripting in craftcms/cms
CVE-2021-32470 unknown 4y ago Craft CMS Cross-site Scripting Vulnerability
CVE-2021-41824 unknown 5y ago CSV Injection Vulnerability
CVE-2021-27903 unknown 5y ago Craft CMS Remote Code Injection
CVE-2021-27902 unknown 5y ago Craft CMS Cross-site Scripting Vulnerability