Filtered by vendor Craftcms
                        
                        Subscribe
                        
                        
                    
                    
                
                    Total
                    57 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 | 
|---|---|---|---|---|---|
| CVE-2024-56145 | 1 Craftcms | 1 Craft Cms | 2025-10-24 | N/A | 9.8 CRITICAL | 
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. | |||||
| CVE-2025-23209 | 1 Craftcms | 1 Craft Cms | 2025-10-24 | N/A | 8.0 HIGH | 
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue. | |||||
| CVE-2025-35939 | 1 Craftcms | 1 Craft Cms | 2025-10-24 | N/A | 5.3 MEDIUM | 
| Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. | |||||
| CVE-2025-46731 | 1 Craftcms | 1 Craft Cms | 2025-09-03 | N/A | 7.2 HIGH | 
| Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue. | |||||
| CVE-2025-57811 | 1 Craftcms | 1 Craft Cms | 2025-09-03 | N/A | 7.2 HIGH | 
| Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7. | |||||
| CVE-2025-54417 | 1 Craftcms | 1 Craft Cms | 2025-09-02 | N/A | 8.8 HIGH | 
| Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4. | |||||
| CVE-2022-37250 | 1 Craftcms | 1 Craft Cms | 2025-06-03 | N/A | 5.4 MEDIUM | 
| Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | |||||
| CVE-2023-36259 | 1 Craftcms | 1 Craft Cms | 2025-05-29 | N/A | 5.4 MEDIUM | 
| Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. | |||||
| CVE-2022-37246 | 1 Craftcms | 1 Craft Cms | 2025-05-27 | N/A | 5.4 MEDIUM | 
| Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | |||||
| CVE-2025-32432 | 1 Craftcms | 1 Craft Cms | 2025-04-28 | N/A | 10.0 CRITICAL | 
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892. | |||||
| CVE-2017-9516 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM | 
| Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | |||||
| CVE-2017-8383 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM | 
| Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | |||||
| CVE-2017-8385 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM | 
| Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | |||||
| CVE-2017-8384 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM | 
| Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | |||||
| CVE-2017-8052 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM | 
| Craft CMS before 2.6.2974 allows XSS attacks. | |||||
| CVE-2023-30177 | 1 Craftcms | 1 Craft Cms | 2025-02-03 | N/A | 6.1 MEDIUM | 
| CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. | |||||
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2025-01-24 | N/A | 8.8 HIGH | 
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||||
| CVE-2023-2817 | 1 Craftcms | 1 Craft Cms | 2025-01-15 | N/A | 5.4 MEDIUM | 
| A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | |||||
| CVE-2023-30179 | 1 Craftcms | 1 Craft Cms | 2025-01-03 | N/A | 7.2 HIGH | 
| CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User Photo Location field when setting User Photo Location in User Settings, lead to Remote Code Execution. NOTE: the vendor disputes this because only Administrators can add this Twig code, and (by design) Administrators are allowed to do that by default. | |||||
| CVE-2023-33495 | 1 Craftcms | 1 Craft Cms | 2024-12-09 | N/A | 6.1 MEDIUM | 
| Craft CMS through 4.4.9 is vulnerable to HTML Injection. | |||||
