Approved changes feed: RSS · Atom
cpe:2.3:a:craftcms:cms:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Craftcms (251e238f-ce53-56ed-bc94-804b74356686) |
|---|---|
| Product | Cms (9e04d365-c5fd-5051-ae1c-868eebba550e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-44012 |
vulnerable | 2026-06-08 08:03:18.065224 |
Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, folder names, folder UIDs, and folder URI paths) without checking whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. Any authenticated CP user — even one with zero volume permissions — can enumerate asset filenames and the full folder structure of any volume by supplying arbitrary asset IDs. This vulnerability is fixed in 5.9.18.
Published: 2026-05-12T20:19:33.550Z
Updated: 2026-05-13T14:49:47.308Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-44011 |
vulnerable | 2026-06-08 08:03:18.064962 |
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
Published: 2026-05-12T20:25:08.183Z
Updated: 2026-05-13T15:37:25.178Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-44010 |
vulnerable | 2026-06-08 08:03:18.064609 |
Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
Published: 2026-05-12T20:17:31.220Z
Updated: 2026-05-13T14:22:37.063Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-41130 |
vulnerable | 2026-06-08 08:03:14.917478 |
Craft CMS has a host header injection leading to SSRF via resource-js endpoint
Craft CMS is a content management system (CMS). In versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14, the `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources.
When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). Versions 4.17.9 and 5.9.15 patch the issue.
Published: 2026-04-21T23:36:31.358Z
Updated: 2026-04-22T14:18:56.067Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-41129 |
vulnerable | 2026-06-08 08:03:14.917202 |
Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
Published: 2026-04-21T23:34:56.801Z
Updated: 2026-04-22T18:11:08.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-41128 |
vulnerable | 2026-06-08 08:03:14.916798 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33162 |
vulnerable | 2026-06-08 07:59:09.206692 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33161 |
vulnerable | 2026-06-08 07:59:09.205554 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33160 |
vulnerable | 2026-06-08 07:59:09.204280 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33159 |
vulnerable | 2026-06-08 07:59:09.202966 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33158 |
vulnerable | 2026-06-08 07:59:09.191103 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33157 |
vulnerable | 2026-06-08 07:59:09.189196 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33051 |
vulnerable | 2026-06-08 07:57:18.515916 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32267 |
vulnerable | 2026-06-08 07:57:17.328273 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32264 |
vulnerable | 2026-06-08 07:57:17.323542 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32263 |
vulnerable | 2026-06-08 07:57:17.323127 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-32262 |
vulnerable | 2026-06-08 07:57:17.322353 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31859 |
vulnerable | 2026-06-08 07:57:16.003228 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31858 |
vulnerable | 2026-06-08 07:57:16.002770 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31857 |
vulnerable | 2026-06-08 07:57:15.992479 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29113 |
vulnerable | 2026-06-08 07:55:16.122413 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-29069 |
vulnerable | 2026-06-08 07:55:16.066753 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28784 |
vulnerable | 2026-06-08 07:55:15.657267 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28783 |
vulnerable | 2026-06-08 07:55:15.656432 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28782 |
vulnerable | 2026-06-08 07:55:15.655613 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28781 |
vulnerable | 2026-06-08 07:55:15.654826 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28697 |
vulnerable | 2026-06-08 07:55:15.525184 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28696 |
vulnerable | 2026-06-08 07:55:15.524514 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-28695 |
vulnerable | 2026-06-08 07:55:15.511606 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27129 |
vulnerable | 2026-06-08 07:53:21.950855 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27128 |
vulnerable | 2026-06-08 07:53:21.950063 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27127 |
vulnerable | 2026-06-08 07:53:21.947783 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27126 |
vulnerable | 2026-06-08 07:53:21.945120 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25498 |
vulnerable | 2026-06-08 07:53:19.887181 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25497 |
vulnerable | 2026-06-08 07:53:19.886474 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25496 |
vulnerable | 2026-06-08 07:53:19.885756 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25495 |
vulnerable | 2026-06-08 07:53:19.885116 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25494 |
vulnerable | 2026-06-08 07:53:19.884101 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25493 |
vulnerable | 2026-06-08 07:53:19.878086 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25492 |
vulnerable | 2026-06-08 07:53:19.877732 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-25491 |
vulnerable | 2026-06-08 07:53:19.876438 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68456 |
vulnerable | 2026-06-08 07:41:21.135916 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68455 |
vulnerable | 2026-06-08 07:41:21.135016 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68454 |
vulnerable | 2026-06-08 07:41:21.134022 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68437 |
vulnerable | 2026-06-08 07:41:21.133333 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-68436 |
vulnerable | 2026-06-08 07:41:21.126876 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-57811 |
vulnerable | 2026-06-08 07:33:16.163834 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-54417 |
vulnerable | 2026-06-08 07:33:12.576140 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-46731 |
vulnerable | 2026-06-08 07:27:08.713642 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-32432 |
vulnerable | 2026-06-08 07:18:59.754589 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-23209 |
vulnerable | 2026-06-08 07:10:55.339539 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-56145 |
vulnerable | 2026-06-08 06:54:17.460699 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-52293 |
vulnerable | 2026-06-08 06:52:14.736052 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-52292 |
vulnerable | 2026-06-08 06:52:14.735549 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-52291 |
vulnerable | 2026-06-08 06:52:14.731752 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45406 |
vulnerable | 2026-06-08 06:48:06.080116 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-41800 |
vulnerable | 2026-06-08 06:43:55.236792 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-21622 |
vulnerable | 2026-06-08 06:27:36.224080 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-41892 |
vulnerable | 2026-06-08 06:11:07.384787 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-40035 |
vulnerable | 2026-06-08 06:09:41.080590 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-33197 |
vulnerable | 2026-06-08 06:06:21.977107 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-33196 |
vulnerable | 2026-06-08 06:06:21.972877 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-33195 |
vulnerable | 2026-06-08 06:06:21.972448 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-33194 |
vulnerable | 2026-06-08 06:06:21.967512 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-32679 |
vulnerable | 2026-06-08 06:04:47.014083 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-31144 |
vulnerable | 2026-06-08 06:04:41.930802 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-23927 |
vulnerable | 2026-06-08 05:56:04.814249 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.