Cms

This hub aggregates every CVE we track for Cms, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Cms.

• CVE-2026-56394Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter6.5Jun 21, 2026
• CVE-2026-56393Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options4.8Jun 21, 2026
• CVE-2026-56385Craft CMS - Authorization Bypass in assets/preview-file Endpoint4.3Jun 21, 2026
• CVE-2026-56384Craft CMS - Missing Authorization in assets/preview-thumb Endpoint4.3Jun 21, 2026
• CVE-2026-56383Craft CMS - Stored XSS in Table Field via Row Heading Column Type4.8Jun 21, 2026
• CVE-2026-56382Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController7.2Jun 21, 2026
• CVE-2026-56381Craft CMS - Stored XSS via User Group Name in User Permissions Page4.8Jun 21, 2026
• CVE-2026-49288Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources4.3Jun 19, 2026
• CVE-2026-49287Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction7.4Jun 19, 2026
• CVE-2026-11511Bolt CMS HTML Attribute TextType.php HTML injection3.5Jun 8, 2026
• CVE-2026-45660Statamic: Server-Side Request Forgery via Glide5.4May 29, 2026
• CVE-2026-44306Statamic: Email enumeration via forgot password endpoint5.3May 12, 2026
• CVE-2026-44011Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior7.2May 12, 2026
• CVE-2026-44010Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure6.5May 12, 2026
• CVE-2026-7508Bootstrap CMS Page Creation show.blade.php code injection6.3Apr 30, 2026