Filtered by vendor Craftcms
Subscriptions
Total
54 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-56145 | 1 Craftcms | 1 Craft Cms | 2025-06-06 | 9.8 Critical |
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. | ||||
| CVE-2025-35939 | 1 Craftcms | 1 Craft Cms | 2025-06-06 | 5.3 Medium |
| Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue. | ||||
| CVE-2022-37250 | 1 Craftcms | 1 Craft Cms | 2025-06-03 | 5.4 Medium |
| Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount. | ||||
| CVE-2023-36259 | 1 Craftcms | 1 Craft Cms | 2025-05-29 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. | ||||
| CVE-2022-37246 | 1 Craftcms | 1 Craft Cms | 2025-05-27 | 5.4 Medium |
| Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label. | ||||
| CVE-2025-32432 | 1 Craftcms | 1 Craft Cms | 2025-04-29 | 10 Critical |
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892. | ||||
| CVE-2017-8383 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | N/A |
| Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder. | ||||
| CVE-2017-9516 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | N/A |
| Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file. | ||||
| CVE-2017-8052 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | N/A |
| Craft CMS before 2.6.2974 allows XSS attacks. | ||||
| CVE-2017-8385 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | N/A |
| Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. | ||||
| CVE-2017-8384 | 1 Craftcms | 1 Craft Cms | 2025-04-20 | N/A |
| Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need not be zero-based. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-8052. | ||||
| CVE-2024-21622 | 1 Craftcms | 1 Craft Cms | 2025-04-17 | 5.4 Medium |
| Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. | ||||
| CVE-2023-23927 | 1 Craftcms | 1 Craft Cms | 2025-02-25 | 6.1 Medium |
| Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (XSS) happens in the quick post widget on the admin dashboard. This issue has been fixed in version 4.3.7. | ||||
| CVE-2025-23209 | 1 Craftcms | 1 Craft Cms | 2025-02-21 | 8.1 High |
| Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue. | ||||
| CVE-2023-41892 | 1 Craftcms | 1 Craft Cms | 2025-02-13 | 10 Critical |
| Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15. | ||||
| CVE-2023-32679 | 1 Craftcms | 1 Craft Cms | 2025-02-12 | 7.2 High |
| Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate() -> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-30177 | 1 Craftcms | 1 Craft Cms | 2025-02-03 | 6.1 Medium |
| CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name. | ||||
| CVE-2023-31144 | 1 Craftcms | 1 Craft Cms | 2025-01-28 | 6.1 Medium |
| Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. | ||||
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2025-01-24 | 8.8 High |
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | ||||
| CVE-2023-2817 | 1 Craftcms | 1 Craft Cms | 2025-01-15 | 5.4 Medium |
| A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | ||||