craftcms/cms vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-33158Mediumcraftcms/cms: Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)CVE-2026-33157Highcraftcms/cms: Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached BehaviorCVE-2026-33051Mediumcraftcms/cms: Craft CMS Vulnerable to Stored XSS in Revision Context MenuCVE-2026-32267Highcraftcms/cms: Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()CVE-2026-32264Highcraftcms/cms: Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsControllerCVE-2026-32263Highcraftcms/cms: Craft CMS vulnerable to behavior injection RCE via EntryTypesControllerCVE-2026-32262Mediumcraftcms/cms: Craft CMS has a Path Traversal Vulnerability in AssetsControllerGHSA-G3HP-VVQF-8VW6Lowcraftcms/cms: Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions PageCVE-2026-31857Highcraftcms/cms: CraftCMS has an RCE vulnerability via relational conditionals in the control panelCVE-2026-31858Highcraftcms/cms: CraftCMS's `ElementSearchController` Affected by Blind SQL InjectionCVE-2026-31859Mediumcraftcms/cms: CraftCMS vulnerable to reflective XSS via incomplete return URL sanitizationCVE-2026-29113Lowcraftcms/cms: Craft CMS has a potential information disclosure vulnerability in preview tokensCVE-2026-29069Highcraftcms/cms: Craft CMS has unauthenticated activation email trigger with potential user enumerationCVE-2026-28784Mediumcraftcms/cms: Craft CMS has potential authenticated Remote Code Execution via Twig SSTICVE-2026-28782Mediumcraftcms/cms: Craft CMS has Permission Bypass and IDOR in Duplicate Entry ActionCVE-2026-28783Mediumcraftcms/cms: Craft CMS has Twig Function Blocklist BypassCVE-2026-28781Mediumcraftcms/cms: Craft CMS: Entries Authorship Spoofing via Mass AssignmentCVE-2026-28697Criticalcraftcms/cms: Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig TemplatesGHSA-4MGV-366X-QXVXLowcraftcms/cms: Craft CMS Vulnerable to Stored XSS in Settings Names and Field OptionsCVE-2026-28696Highcraftcms/cms: Craft CMS has IDOR via GraphQL @parseRefsCVE-2026-28695Mediumcraftcms/cms: Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadgetGHSA-6J87-M5QX-9FQPLowcraftcms/cms: Craft CMS has Stored XSS in Table Field in its "Row Heading" Column TypeCVE-2026-27129Mediumcraftcms/cms: Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 ResolutionCVE-2026-27128Mediumcraftcms/cms: Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limitCVE-2026-27127Highcraftcms/cms: Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Stop the waste.
Protect your environment with Kodem.