craftcms

Top products

The 15 most recently published vulnerabilities affecting craftcms.

• CVE-2026-56394Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter6.5Jun 21, 2026
• CVE-2026-56393Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options4.8Jun 21, 2026
• CVE-2026-56385Craft CMS - Authorization Bypass in assets/preview-file Endpoint4.3Jun 21, 2026
• CVE-2026-56384Craft CMS - Missing Authorization in assets/preview-thumb Endpoint4.3Jun 21, 2026
• CVE-2026-56383Craft CMS - Stored XSS in Table Field via Row Heading Column Type4.8Jun 21, 2026
• CVE-2026-56382Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController7.2Jun 21, 2026
• CVE-2026-56381Craft CMS - Stored XSS via User Group Name in User Permissions Page4.8Jun 21, 2026
• CVE-2026-44011Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior7.2May 12, 2026
• CVE-2026-44010Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure6.5May 12, 2026
• CVE-2026-33162Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions6.5Mar 24, 2026
• CVE-2026-33161Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users4.3Mar 24, 2026
• CVE-2026-33160Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL5.3Mar 24, 2026
• CVE-2026-33159Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users6.5Mar 24, 2026
• CVE-2026-33158Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)6.5Mar 24, 2026
• CVE-2026-33157Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior7.2Mar 24, 2026