Craftcms/cms

This hub aggregates every CVE we track for Craftcms/cms, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Craftcms/cms.

• CVE-2026-32267Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()9.8Mar 16, 2026
• CVE-2026-32264Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController7.2Mar 16, 2026
• CVE-2026-32263Craft CMS vulnerable to behavior injection RCE via EntryTypesController7.2Mar 16, 2026
• CVE-2026-32262Craft CMS has a Path Traversal Vulnerability in AssetsController4.3Mar 16, 2026
• CVE-2026-31859Craft has Reflective XSS via incomplete return URL sanitization6.1Mar 11, 2026
• CVE-2026-31858CraftCMS's `ElementSearchController` Affected by Blind SQL Injection8.8Mar 11, 2026
• CVE-2026-31857CraftCMS has an RCE vulnerability via relational conditionals in the control panel8.8Mar 11, 2026
• CVE-2026-29113Craft has a potential information disclosure vulnerability in preview tokens4.3Mar 10, 2026
• CVE-2026-29069Craft has an unauthenticated activation email trigger with potential user enumeration5.3Mar 4, 2026
• CVE-2026-28784Craft is affected by potential authenticated Remote Code Execution via Twig SSTI7.2Mar 4, 2026
• CVE-2026-28783Craft has a Twig Function Blocklist Bypass9.1Mar 4, 2026
• CVE-2026-28782Craft has a Permission Bypass and IDOR in Duplicate Entry Action4.3Mar 4, 2026
• CVE-2026-28781Craft Affected by Entries Authorship Spoofing via Mass Assignment6.5Mar 4, 2026
• CVE-2026-28697Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates9.1Mar 4, 2026
• CVE-2026-28696Craft affected by IDOR via GraphQL @parseRefs7.5Mar 4, 2026