craftcms/cms vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-27126Mediumcraftcms/cms: Craft CMS has Stored XSS in Table Field via "HTML" Column TypeCVE-2026-25498Highcraftcms/cms: Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached BehaviorCVE-2026-25497Highcraftcms/cms: Craft CMS: GraphQL Asset Mutation Privilege EscalationCVE-2026-25496Mediumcraftcms/cms: Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix FieldsCVE-2026-25495Highcraftcms/cms: Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`CVE-2026-25494Mediumcraftcms/cms: Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP NotationCVE-2026-25493Mediumcraftcms/cms: Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP RedirectCVE-2026-25491Lowcraftcms/cms: Craft CMS Vulnerable to Stored XSS in Entry Types NameCVE-2025-68455Highcraftcms/cms: Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached BehaviorCVE-2025-68456Highcraftcms/cms: Unauthenticated Craft CMS users can trigger a database backupCVE-2025-68454Mediumcraftcms/cms: Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTICVE-2025-68437Mediumcraftcms/cms: Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload MutationCVE-2025-68436Mediumcraftcms/cms: Craft CMS vulnerable to potential information disclosure via unchecked asset relocationCVE-2025-57811Mediumcraftcms/cms: Craft CMS Potential Remote Code Execution via Twig SSTICVE-2025-54417Mediumcraftcms/cms: Craft CMS has a theoretical bypass for CVE-2025-23209CVE-2025-35939Mediumcraftcms/cms: Craft CMS stores arbitrary content provided by unauthenticated users in session filesCVE-2025-46731Highcraftcms/cms: Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTICVE-2025-32432Criticalcraftcms/cms: Craft CMS Allows Remote Code ExecutionCVE-2025-23209Highcraftcms/cms: Craft CMS has a potential RCE with a compromised security keyCVE-2024-56145Criticalcraftcms/cms: Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabledCVE-2024-52293Highcraftcms/cms: Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTICVE-2024-52292Highcraftcms/cms: Craft CMS Arbitrary System File ReadCVE-2024-52291Highcraftcms/cms: Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code ExecutionCVE-2024-45406Mediumcraftcms/cms: Craft CMS vulnerable to stored XSS in breadcrumb list and title fieldsCVE-2024-41800Mediumcraftcms/cms: Craft CMS Allows TOTP Token To Stay Valid After Use

Stop the waste.
Protect your environment with Kodem.