Craft cms
This hub aggregates every CVE we track for Craft cms, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.
97
CVEs tracked
11
Critical
30
High
4
In CISA KEV
Severity distribution
MEDIUM55HIGH30CRITICAL11LOW1
Monthly trend
1
0
1
0
3
1
1
0
0
1
2
0
0
2
0
0
0
0
5
12
23
0
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Craft cms.
- CVE-2026-33162Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions6.5
- CVE-2026-33161Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users4.3
- CVE-2026-33160Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL5.3
- CVE-2026-33159Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users6.5
- CVE-2026-33158Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)6.5
- CVE-2026-33157Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior7.2
- CVE-2026-33051Craft CMS Vulnerable to Stored XSS in Revision Context Menu5.4
- CVE-2026-32267Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()9.8
- CVE-2026-32264Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController7.2
- CVE-2026-32263Craft CMS vulnerable to behavior injection RCE via EntryTypesController7.2
- CVE-2026-32262Craft CMS has a Path Traversal Vulnerability in AssetsController4.3
- CVE-2026-31859Craft has Reflective XSS via incomplete return URL sanitization6.1
- CVE-2026-31858CraftCMS's `ElementSearchController` Affected by Blind SQL Injection8.8
- CVE-2026-31857CraftCMS has an RCE vulnerability via relational conditionals in the control panel8.8
- CVE-2026-29113Craft has a potential information disclosure vulnerability in preview tokens4.3
Product normalization is registry-driven with AI assist and human review. How it works