Craft CMS 5.0.0 Release Candidate 1
Approved changes feed: RSS · Atom
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
part: a version: 5.0.0 update: rc1
| Vendor | Craftcms (251e238f-ce53-56ed-bc94-804b74356686) |
|---|---|
| Product | Craft Cms (a92c5963-2d04-59bc-90a5-a8f29f883095) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/craftcms/cms |
purl2cpe | 2026-06-01 10:17:10.565324 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-33161 |
vulnerable | 2026-06-08 07:59:09.206190 |
Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:31:28.077Z
Updated: 2026-03-24T18:02:07.070Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33160 |
vulnerable | 2026-06-08 07:59:09.204857 |
Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:30:20.068Z
Updated: 2026-03-26T19:52:13.700Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33159 |
vulnerable | 2026-06-08 07:59:09.203416 |
Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:28:37.422Z
Updated: 2026-03-24T17:57:50.529Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33158 |
vulnerable | 2026-06-08 07:59:09.202432 |
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:26:03.688Z
Updated: 2026-03-24T20:24:48.917Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32267 |
vulnerable | 2026-06-08 07:57:17.328813 |
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
Published: 2026-03-16T19:04:47.781Z
Updated: 2026-03-18T15:43:25.399Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32264 |
vulnerable | 2026-06-08 07:57:17.323865 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32262 |
vulnerable | 2026-06-08 07:57:17.322849 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31858 |
vulnerable | 2026-06-08 07:57:16.002941 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31857 |
vulnerable | 2026-06-08 07:57:16.002298 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29069 |
vulnerable | 2026-06-08 07:55:16.070759 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28784 |
vulnerable | 2026-06-08 07:55:15.657789 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28783 |
vulnerable | 2026-06-08 07:55:15.656887 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28782 |
vulnerable | 2026-06-08 07:55:15.655972 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28781 |
vulnerable | 2026-06-08 07:55:15.655228 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28697 |
vulnerable | 2026-06-08 07:55:15.525680 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28696 |
vulnerable | 2026-06-08 07:55:15.524708 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28695 |
vulnerable | 2026-06-08 07:55:15.524105 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27129 |
vulnerable | 2026-06-08 07:53:21.951016 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27128 |
vulnerable | 2026-06-08 07:53:21.950426 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27127 |
vulnerable | 2026-06-08 07:53:21.949682 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27126 |
vulnerable | 2026-06-08 07:53:21.947385 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25498 |
vulnerable | 2026-06-08 07:53:19.887659 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25497 |
vulnerable | 2026-06-08 07:53:19.886862 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25496 |
vulnerable | 2026-06-08 07:53:19.886146 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25495 |
vulnerable | 2026-06-08 07:53:19.885449 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25494 |
vulnerable | 2026-06-08 07:53:19.884781 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25493 |
vulnerable | 2026-06-08 07:53:19.883575 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68456 |
vulnerable | 2026-06-08 07:41:21.136062 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68455 |
vulnerable | 2026-06-08 07:41:21.135556 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68454 |
vulnerable | 2026-06-08 07:41:21.134684 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68437 |
vulnerable | 2026-06-08 07:41:21.133427 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68436 |
vulnerable | 2026-06-08 07:41:21.132969 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-57811 |
vulnerable | 2026-06-08 07:33:16.166848 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-46731 |
vulnerable | 2026-06-08 07:27:08.727210 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-23209 |
vulnerable | 2026-06-08 07:10:55.350512 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-52293 |
vulnerable | 2026-06-08 06:52:14.736333 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-52291 |
vulnerable | 2026-06-08 06:52:14.734813 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-41800 |
vulnerable | 2026-06-08 06:43:55.244416 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.