Approved changes feed: RSS · Atom

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorCraftcms (251e238f-ce53-56ed-bc94-804b74356686)
ProductCraft Cms (a92c5963-2d04-59bc-90a5-a8f29f883095)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/craftcms/cms purl2cpe 2026-06-01 10:17:10.365192

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33162 vulnerable 2026-06-08 07:59:09.208918 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Published: 2026-03-24T17:32:27.208Z
Updated: 2026-03-25T13:40:37.056Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33161 vulnerable 2026-06-08 07:59:09.205691 Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:31:28.077Z
Updated: 2026-03-24T18:02:07.070Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33160 vulnerable 2026-06-08 07:59:09.204315 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:30:20.068Z
Updated: 2026-03-26T19:52:13.700Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33159 vulnerable 2026-06-08 07:59:09.203013 Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:28:37.422Z
Updated: 2026-03-24T17:57:50.529Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33158 vulnerable 2026-06-08 07:59:09.191148 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24T17:26:03.688Z
Updated: 2026-03-24T20:24:48.917Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33157 vulnerable 2026-06-08 07:59:09.190519 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33051 vulnerable 2026-06-08 07:57:18.515960 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-32267 vulnerable 2026-06-08 07:57:17.328437 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-32264 vulnerable 2026-06-08 07:57:17.323574 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-32263 vulnerable 2026-06-08 07:57:17.323161 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-32262 vulnerable 2026-06-08 07:57:17.322490 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-31859 vulnerable 2026-06-08 07:57:16.003263 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-31858 vulnerable 2026-06-08 07:57:16.002890 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-31857 vulnerable 2026-06-08 07:57:15.993119 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-29113 vulnerable 2026-06-08 07:55:16.122459 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-29069 vulnerable 2026-06-08 07:55:16.066790 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28784 vulnerable 2026-06-08 07:55:15.657385 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28783 vulnerable 2026-06-08 07:55:15.656539 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28782 vulnerable 2026-06-08 07:55:15.655646 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28781 vulnerable 2026-06-08 07:55:15.654867 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28697 vulnerable 2026-06-08 07:55:15.525222 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28696 vulnerable 2026-06-08 07:55:15.524559 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28695 vulnerable 2026-06-08 07:55:15.512800 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27129 vulnerable 2026-06-08 07:53:21.950971 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27128 vulnerable 2026-06-08 07:53:21.950226 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27127 vulnerable 2026-06-08 07:53:21.947945 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27126 vulnerable 2026-06-08 07:53:21.945173 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25498 vulnerable 2026-06-08 07:53:19.887319 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25497 vulnerable 2026-06-08 07:53:19.886514 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25496 vulnerable 2026-06-08 07:53:19.885787 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25495 vulnerable 2026-06-08 07:53:19.885148 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25494 vulnerable 2026-06-08 07:53:19.884146 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25493 vulnerable 2026-06-08 07:53:19.878231 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25492 vulnerable 2026-06-08 07:53:19.877769 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-25491 vulnerable 2026-06-08 07:53:19.877338 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68456 vulnerable 2026-06-08 07:41:21.135944 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68455 vulnerable 2026-06-08 07:41:21.135046 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68454 vulnerable 2026-06-08 07:41:21.134191 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68437 vulnerable 2026-06-08 07:41:21.133376 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68436 vulnerable 2026-06-08 07:41:21.127812 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-57811 vulnerable 2026-06-08 07:33:16.163879 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-54417 vulnerable 2026-06-08 07:33:12.576903 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-46731 vulnerable 2026-06-08 07:27:08.722305 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-35939 vulnerable 2026-06-08 07:21:00.168973 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32432 vulnerable 2026-06-08 07:18:59.755561 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-23209 vulnerable 2026-06-08 07:10:55.340549 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-56145 vulnerable 2026-06-08 06:54:17.461595 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-52293 vulnerable 2026-06-08 06:52:14.735941 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-52292 vulnerable 2026-06-08 06:52:14.735415 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-52291 vulnerable 2026-06-08 06:52:14.730969 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-45406 vulnerable 2026-06-08 06:48:06.079427 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-41800 vulnerable 2026-06-08 06:43:55.235981 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-37843 vulnerable 2026-06-08 06:39:48.117774 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-21622 vulnerable 2026-06-08 06:27:36.224886 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-41892 vulnerable 2026-06-08 06:11:07.385827 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-40035 vulnerable 2026-06-08 06:09:41.081466 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-36260 vulnerable 2026-06-08 06:06:28.678250 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-36259 vulnerable 2026-06-08 06:06:28.677871 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-33495 vulnerable 2026-06-08 06:06:23.217289 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-33197 vulnerable 2026-06-08 06:06:21.977157 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-33196 vulnerable 2026-06-08 06:06:21.973025 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-33195 vulnerable 2026-06-08 06:06:21.972497 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-33194 vulnerable 2026-06-08 06:06:21.968644 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-32679 vulnerable 2026-06-08 06:04:47.014254 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-31144 vulnerable 2026-06-08 06:04:41.931627 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-2817 vulnerable 2026-06-08 06:02:43.133766 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-23927 vulnerable 2026-06-08 05:56:04.815250 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-37783 vulnerable 2026-06-08 05:47:13.049610 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-29933 vulnerable 2026-06-08 05:42:49.838843 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-28378 vulnerable 2026-06-08 05:42:44.457969 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-41824 vulnerable 2026-06-08 05:35:21.092669 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-32470 vulnerable 2026-06-08 05:31:54.833063 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-27903 vulnerable 2026-06-08 05:31:22.700924 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-27902 vulnerable 2026-06-08 05:31:22.700399 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-9757 vulnerable 2026-06-08 05:28:02.755494 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-17496 vulnerable 2026-06-08 05:13:10.552603 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-15929 vulnerable 2026-06-08 05:13:07.154759 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-14280 vulnerable 2026-06-08 05:12:54.381706 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-12823 vulnerable 2026-06-08 05:12:40.539627 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2018-20465 vulnerable 2026-06-08 05:11:27.274659 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2017-9516 vulnerable 2026-06-08 05:10:10.082932 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2017-8385 vulnerable 2026-06-08 05:10:08.156970 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2017-8384 vulnerable 2026-06-08 05:10:08.156670 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2017-8383 vulnerable 2026-06-08 05:10:08.156356 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2017-8052 vulnerable 2026-06-08 05:10:07.101868 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.