Approved changes feed: RSS · Atom

cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*

part: a version: 4.5.0 update: -

VendorCraftcms (251e238f-ce53-56ed-bc94-804b74356686)
ProductCraft Cms (a92c5963-2d04-59bc-90a5-a8f29f883095)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/craftcms/cms purl2cpe 2026-06-01 10:17:10.367080

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-27128 vulnerable 2026-06-08 07:53:21.950253 Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24T02:42:53.706Z
Updated: 2026-02-28T02:13:48.422Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27126 vulnerable 2026-06-08 07:53:21.946508 Craft CMS has Stored XSS in Table Field via "HTML" Column Type
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24T02:30:04.882Z
Updated: 2026-02-24T19:35:38.348Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.