Craftcms Security Vulnerabilities (CVEs)

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS's GraphQL Asset mutation that allows DNS rebinding attacks. Attacke...

This CVE describes a Server-Side Request Forgery (SSRF) bypass vulnerability in Craft CMS. The SSRF validation in GraphQL Asset mutations fails to pro...

This CVE describes a SQL injection vulnerability in Craft CMS affecting the element-indexes/get-elements endpoint. Attackers with Control Panel access...

This stored cross-site scripting (XSS) vulnerability in Craft CMS allows attackers to inject malicious scripts into Number field prefixes/suffixes. Wh...

This CVE describes a privilege escalation vulnerability in Craft CMS's GraphQL API where authenticated users with write access to one asset volume can...

This is a Remote Code Execution vulnerability in Craft CMS that allows authenticated administrators to execute arbitrary system commands on the server...

CVE-2026-25491 is a stored cross-site scripting (XSS) vulnerability in Craft CMS that allows attackers to inject malicious scripts via Entry Type name...

This vulnerability in Craft CMS allows authenticated attackers with permission to use the save_images_Asset GraphQL mutation to bypass hostname valida...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS where attackers can bypass SSRF protections by exploiting HTTP redi...

This vulnerability allows attackers to bypass IP address blocklists in Craft CMS by using alternative IP notations (hexadecimal, mixed) that aren't re...

A stored cross-site scripting (XSS) vulnerability in Craft Commerce allows attackers to inject malicious JavaScript into Shipping Zone fields. When ad...

This vulnerability allows authenticated users on Craft CMS installations to expose sensitive assets through maliciously crafted requests targeting use...

This SSRF vulnerability in Craft CMS allows attackers with GraphQL asset management permissions to force the server to fetch content from arbitrary in...

This vulnerability allows authenticated remote code execution in Craft CMS via Twig Server-Side Template Injection. Attackers with administrator acces...

This vulnerability allows authenticated remote code execution in Craft CMS when an attacker with administrator access uploads a malicious Behavior att...

This CVE describes a remote code execution vulnerability in Craft CMS via Twig Server-Side Template Injection (SSTI). Attackers can execute arbitrary ...

This vulnerability allows remote code execution in Craft CMS when attackers have a compromised security key and can create arbitrary files in the /sto...

CVE-2025-35939 is a session file injection vulnerability in Craft CMS where unauthenticated users can inject arbitrary content into server-side sessio...

This CVE describes a server-side template injection (SSTI) vulnerability in Craft CMS that could allow remote code execution. The vulnerability requir...

This is a remote code execution vulnerability in Craft CMS versions 4 and 5 that allows attackers to execute arbitrary code on affected systems. The v...

CVE-2024-52291 is a path traversal vulnerability in CraftCMS that allows authenticated administrators to bypass local file system validation using a d...

The Feed Me plugin 4.6.1 for Craft CMS contains a denial of service vulnerability where remote attackers can submit crafted strings to Feed-Me Name an...

CVE-2023-30179 is a Server-Side Template Injection vulnerability in CraftCMS that allows authenticated attackers to inject Twig templates into the Use...

This vulnerability in Craft CMS allows attackers with admin privileges to execute arbitrary code by uploading files with arbitrary extensions that get...

This vulnerability allows remote attackers to execute arbitrary code on CraftCMS servers through server-side template injection in the Section paramet...

CVE-2021-41824 is a CSV injection vulnerability in Craft CMS that allows attackers to inject malicious formulas into exported CSV files. When victims ...