Craft CMS 4.5.0
Approved changes feed: RSS · Atom
cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*
part: a version: 4.5.0 update: -
| Vendor | Craftcms (251e238f-ce53-56ed-bc94-804b74356686) |
|---|---|
| Product | Craft Cms (a92c5963-2d04-59bc-90a5-a8f29f883095) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/craftcms/cms |
purl2cpe | 2026-06-01 10:17:10.367080 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-27128 |
vulnerable | 2026-06-08 07:53:21.950253 |
Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24T02:42:53.706Z
Updated: 2026-02-28T02:13:48.422Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27126 |
vulnerable | 2026-06-08 07:53:21.946508 |
Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24T02:30:04.882Z
Updated: 2026-02-24T19:35:38.348Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.