Filtered by vendor Craftcms
Subscribe
Total
114 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-35939 | 1 Craftcms | 1 Craft Cms | 2025-10-24 | N/A | 5.3 MEDIUM |
| Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. | |||||
| CVE-2025-46731 | 1 Craftcms | 1 Craft Cms | 2025-09-03 | N/A | 7.2 HIGH |
| Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue. | |||||
| CVE-2025-57811 | 1 Craftcms | 1 Craft Cms | 2025-09-03 | N/A | 7.2 HIGH |
| Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7. | |||||
| CVE-2025-54417 | 1 Craftcms | 1 Craft Cms | 2025-09-02 | N/A | 8.8 HIGH |
| Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4. | |||||
| CVE-2022-37250 | 1 Craftcms | 1 Craft Cms | 2025-06-03 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | |||||
| CVE-2023-36259 | 1 Craftcms | 1 Craft Cms | 2025-05-29 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. | |||||
| CVE-2022-37246 | 1 Craftcms | 1 Craft Cms | 2025-05-27 | N/A | 5.4 MEDIUM |
| Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | |||||
| CVE-2017-8384 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | |||||
| CVE-2017-8385 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | |||||
| CVE-2017-8383 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | |||||
| CVE-2017-9516 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | |||||
| CVE-2017-8052 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Craft CMS before 2.6.2974 allows XSS attacks. | |||||
| CVE-2023-30177 | 1 Craftcms | 1 Craft Cms | 2025-02-03 | N/A | 6.1 MEDIUM |
| CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. | |||||
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2025-01-24 | N/A | 8.8 HIGH |
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||||
| CVE-2023-2817 | 1 Craftcms | 1 Craft Cms | 2025-01-15 | N/A | 5.4 MEDIUM |
| A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | |||||
| CVE-2023-30179 | 1 Craftcms | 1 Craft Cms | 2025-01-03 | N/A | 7.2 HIGH |
| CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. | |||||
| CVE-2023-33495 | 1 Craftcms | 1 Craft Cms | 2024-12-09 | N/A | 6.1 MEDIUM |
| Craft CMS through 4.4.9 is vulnerable to HTML Injection. | |||||
| CVE-2024-41800 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 4.8 MEDIUM |
| Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3. | |||||
| CVE-2024-37843 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 9.8 CRITICAL |
| Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. | |||||
| CVE-2024-21622 | 1 Craftcms | 1 Craft Cms | 2024-11-21 | N/A | 5.4 MEDIUM |
| Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. | |||||