craftcms/cms vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
GHSA-86VW-X4WW-X467Highcraftcms/cms: Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreviewGHSA-C43V-4CR8-6MVPLowcraftcms/cms: Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file readCVE-2026-55794Highcraftcms/cms: Craft CMS: Potential authenticated Remote Code Execution via referrer redirectCVE-2026-55793Mediumcraftcms/cms: Craft CMS: Stored XSS via Structure entry title in table viewCVE-2026-55792Mediumcraftcms/cms: Craft CMS: Sensitive File Disclosure / Server-Side File ReadCVE-2026-55790Highcraftcms/cms: Craft CMS: DOM XSS via GitHub issue title in CraftSupport widgetGHSA-X76W-8C62-48MGMediumcraftcms/cms: Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permissionCVE-2026-50282Highcraftcms/cms: Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced MovesCVE-2026-50281Highcraftcms/cms: Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elementsCVE-2026-50284Highcraftcms/cms: Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assetsCVE-2026-50283Mediumcraftcms/cms: Craft CMS: Unauthorized Deletion of Source Assets During File ReplacementCVE-2026-50280Mediumcraftcms/cms: Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save checkCVE-2026-50279Highcraftcms/cms: Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gapCVE-2026-55791Criticalcraftcms/cms: Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJsCVE-2026-44012Highcraftcms/cms: Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information DisclosureCVE-2026-44011Highcraftcms/cms: Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached BehaviorCVE-2026-44010Highcraftcms/cms: Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII DisclosureCVE-2026-41130Mediumcraftcms/cms: Craft CMS has a host header injection leading to SSRF via resource-js endpointCVE-2026-41129Mediumcraftcms/cms: Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads MutationsCVE-2026-41128Mediumcraftcms/cms: Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions ActionGHSA-44PX-QJJC-XRHQLowcraftcms/cms: Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadataCVE-2026-33162Mediumcraftcms/cms: Craft CMS has an authorization bypass which allows any control panel user to move entries without permissionsCVE-2026-33161Lowcraftcms/cms: Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized usersCVE-2026-33160Lowcraftcms/cms: Craft CMS may expose private assets through anonymous "generate transform" calls via transform URLCVE-2026-33159Mediumcraftcms/cms: Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

Stop the waste.
Protect your environment with Kodem.