📦 Craft Cms

Unauthenticated attackers can trigger database backup operations in vulnerable Craft CMS versions, potentially causing resource exhaustion or exposing sensitive database information. This affects Craf...

CVE-2025-32432 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected servers. This affects Craft CMS versions 3.0.0-RC1 through 3.9...

CVE-2024-56145 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. Users are affected if they run vulnerable Craft CMS v...

CVE-2024-37843 is an unauthenticated SQL injection vulnerability in Craft CMS's GraphQL API endpoint. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the ...

CVE-2023-41892 is a critical remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. This affects all Craft CMS installations before versi...

CVE-2021-27903 is a remote code execution vulnerability in Craft CMS that allows attackers to execute arbitrary code on affected systems. This vulnerability affects Craft CMS installations where admin...

This CVE describes a SQL injection vulnerability in Craft CMS affecting the element-indexes/get-elements endpoint. Attackers with Control Panel access can inject arbitrary SQL via the criteria[orderBy...

This CVE describes a privilege escalation vulnerability in Craft CMS's GraphQL API where authenticated users with write access to one asset volume can modify or transfer assets belonging to any other ...

This is a Remote Code Execution vulnerability in Craft CMS that allows authenticated administrators to execute arbitrary system commands on the server. It affects Craft CMS versions 4.0.0-RC1 through ...

This vulnerability allows authenticated remote code execution in Craft CMS when an attacker with administrator access uploads a malicious Behavior attachment. It affects Craft CMS versions 5.0.0-RC1 t...

This vulnerability allows authenticated remote code execution in Craft CMS via Twig Server-Side Template Injection. Attackers with administrator access (or non-administrators with access to System Mes...

This CVE describes a remote code execution vulnerability in Craft CMS via Twig Server-Side Template Injection (SSTI). Attackers can execute arbitrary code on affected systems by injecting malicious te...

This vulnerability allows remote code execution in Craft CMS when attackers have a compromised security key and can create arbitrary files in the /storage/backups folder. By sending malicious requests...

This CVE describes a server-side template injection (SSTI) vulnerability in Craft CMS that could allow remote code execution. The vulnerability requires administrator access and the ALLOW_ADMIN_CHANGE...

This is a remote code execution vulnerability in Craft CMS versions 4 and 5 that allows attackers to execute arbitrary code on affected systems. The vulnerability requires that the Craft security key ...

CVE-2024-52291 is a path traversal vulnerability in CraftCMS that allows authenticated administrators to bypass local file system validation using a double file:// scheme. This enables attackers to sp...

The Feed Me plugin 4.6.1 for Craft CMS contains a denial of service vulnerability where remote attackers can submit crafted strings to Feed-Me Name and URL fields, causing the system to crash when sav...

CVE-2023-30179 is a Server-Side Template Injection vulnerability in CraftCMS that allows authenticated attackers to inject Twig templates into the User Photo Location field, potentially leading to rem...

This vulnerability in Craft CMS allows attackers with admin privileges to execute arbitrary code by uploading files with arbitrary extensions that get rendered as Twig templates. It affects Craft CMS ...

This vulnerability allows remote attackers to execute arbitrary code on CraftCMS servers through server-side template injection in the Section parameter. It affects CraftCMS version 3.8.1 installation...

CVE-2021-41824 is a CSV injection vulnerability in Craft CMS that allows attackers to inject malicious formulas into exported CSV files. When victims open these files in spreadsheet applications like ...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS's GraphQL Asset mutation that allows DNS rebinding attacks. Attackers can bypass IP restrictions by manipulating DNS ...

This CVE describes a Server-Side Request Forgery (SSRF) bypass vulnerability in Craft CMS. The SSRF validation in GraphQL Asset mutations fails to properly validate IPv6 addresses, allowing attackers ...

This stored cross-site scripting (XSS) vulnerability in Craft CMS allows attackers to inject malicious scripts into Number field prefixes/suffixes. When these fields are displayed on user profiles, th...

CVE-2026-25491 is a stored cross-site scripting (XSS) vulnerability in Craft CMS that allows attackers to inject malicious scripts via Entry Type names. These scripts execute when administrators view ...

This vulnerability in Craft CMS allows authenticated attackers with permission to use the save_images_Asset GraphQL mutation to bypass hostname validation and fetch internal URLs, potentially retrievi...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS where attackers can bypass SSRF protections by exploiting HTTP redirects. The vulnerability affects Craft CMS version...

This vulnerability allows attackers to bypass IP address blocklists in Craft CMS by using alternative IP notations (hexadecimal, mixed) that aren't recognized by PHP's filter_var() function. This enab...

This vulnerability allows authenticated users on Craft CMS installations to expose sensitive assets through maliciously crafted requests targeting user profile photos. The issue affects Craft CMS vers...

This SSRF vulnerability in Craft CMS allows attackers with GraphQL asset management permissions to force the server to fetch content from arbitrary internal or cloud metadata endpoints. The fetched co...

CVE-2025-35939 is a session file injection vulnerability in Craft CMS where unauthenticated users can inject arbitrary content into server-side session files. This could lead to remote code execution ...