CVE-2023-41892 — CVSS 10.0 (critical): Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft…
CVE-2020-9757 — CVSS 9.8 (critical): The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the…
CVE-2024-37843 — CVSS 9.8 (critical): Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
CVE-2019-15929 — CVSS 9.8 (critical): In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the…
CVE-2021-27903 — CVSS 9.8 (critical): An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites…
CVE-2026-32267 — CVSS 9.8 (critical): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before…
CVE-2026-28783 — CVSS 9.1 (critical): Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent…
CVE-2025-68456 — CVSS 9.1 (critical): Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users…
CVE-2026-28697 — CVSS 9.1 (critical): Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code…
CVE-2026-25495 — CVSS 8.8 (high): Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the…
CVE-2026-31858 — CVSS 8.8 (high): Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was…
CVE-2018-3814 — CVSS 8.8 (high): Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and then the "Replace…
CVE-2026-31857 — CVSS 8.8 (high): Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5…
CVE-2026-25497 — CVSS 8.8 (high): Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a…
CVE-2022-29933 — CVSS 8.8 (high): Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password…
CVE-2025-68454 — CVSS 8.8 (high): Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to…
CVE-2025-54417 — CVSS 8.8 (high): Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that…
CVE-2023-30130 — CVSS 8.8 (high): An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
CVE-2024-52291 — CVSS 8.4 (high): Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by…
CVE-2024-52292 — CVSS 7.7 (high): Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system…
CVE-2023-36260 — CVSS 7.5 (high): An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via…
CVE-2022-37783 — CVSS 7.5 (high): All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username…
CVE-2026-28696 — CVSS 7.5 (high): Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse…
CVE-2025-46731 — CVSS 7.2 (high): Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16…
CVE-2026-28784 — CVSS 7.2 (high): Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map…
CVE-2026-32263 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php…
CVE-2023-32679 — CVSS 7.2 (high): Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote…
CVE-2026-32264 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before…
CVE-2026-28695 — CVSS 7.2 (high): Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection…
CVE-2026-25498 — CVSS 7.2 (high): Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code…
CVE-2024-52293 — CVSS 7.2 (high): Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function…
CVE-2023-30179 — CVSS 7.2 (high): CraftCMS version 3.7.59 is vulnerable to Server-Side Template Injection (SSTI). An authenticated attacker can inject Twig Template to User…
CVE-2018-20465 — CVSS 7.2 (high): Craft CMS through 3.0.34 allows remote authenticated administrators to read sensitive information via server-side template injection, as…
CVE-2025-68455 — CVSS 7.2 (high): Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to…
CVE-2026-33157 — CVSS 7.2 (high): Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability…
CVE-2025-57811 — CVSS 7.2 (high): Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote…
CVE-2023-40035 — CVSS 7.2 (high): Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential…
CVE-2025-68437 — CVSS 6.8 (medium): Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS…
CVE-2026-33162 — CVSS 6.5 (medium): Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only…
CVE-2025-68436 — CVSS 6.5 (medium): Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated…
CVE-2026-25492 — CVSS 6.5 (medium): Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset…
CVE-2026-25493 — CVSS 6.5 (medium): Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the…
CVE-2026-25494 — CVSS 6.5 (medium): Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the…
CVE-2026-27129 — CVSS 6.5 (medium): Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in…
CVE-2026-28781 — CVSS 6.5 (medium): Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment…
CVE-2026-33158 — CVSS 6.5 (medium): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before…
CVE-2026-33159 — CVSS 6.5 (medium): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before…
CVE-2026-27127 — CVSS 6.3 (medium): Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in…
CVE-2019-17496 — CVSS 6.1 (medium): Craft CMS before 3.3.8 has stored XSS via a name field. This field is mishandled during site deletion.
CVE-2019-9554 — CVSS 6.1 (medium): In the 3.1.12 Pro version of Craft CMS, XSS has been discovered in the header insertion field when adding source code at an…
CVE-2021-27902 — CVSS 6.1 (medium): An issue was discovered in Craft CMS before 3.6.0. In some circumstances, a potential XSS vulnerability existed in connection with…
CVE-2026-31859 — CVSS 6.1 (medium): Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php…
CVE-2017-8384 — CVSS 6.1 (medium): Craft CMS before 2.6.2976 allows XSS attacks because an array returned by HttpRequestService::getSegments() and getActionSegments() need…
CVE-2023-30177 — CVSS 6.1 (medium): CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
CVE-2023-31144 — CVSS 6.1 (medium): Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed…
CVE-2023-23927 — CVSS 6.1 (medium): Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an…
CVE-2023-33196 — CVSS 5.5 (medium): Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been…
CVE-2023-33197 — CVSS 5.5 (medium): Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index…
CVE-2024-45406 — CVSS 5.5 (medium): Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
CVE-2022-37247 — CVSS 5.4 (medium): Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
CVE-2023-2817 — CVSS 5.4 (medium): A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be…
CVE-2026-33051 — CVSS 5.4 (medium): Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element…
CVE-2022-37246 — CVSS 5.4 (medium): Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific…
CVE-2020-19626 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via…
CVE-2017-9516 — CVSS 5.4 (medium): Craft CMS before 2.6.2982 allows for a potential XSS attack vector by uploading a malicious SVG file.
CVE-2024-21622 — CVSS 5.4 (medium): Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft…
CVE-2023-36259 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during…
CVE-2026-33160 — CVSS 5.3 (medium): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before…
CVE-2017-8385 — CVSS 5.3 (medium): Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.
CVE-2017-8383 — CVSS 5.3 (medium): Craft CMS before 2.6.2976 does not properly restrict viewing the contents of files in the craft/app/ folder.
CVE-2019-14280 — CVSS 5.3 (medium): In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't stripping EXIF data from user-uploaded images when it was configured…
CVE-2026-29069 — CVSS 5.3 (medium): Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible…
CVE-2023-33195 — CVSS 5.0 (medium): Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched…
CVE-2026-27126 — CVSS 4.8 (medium): Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site…
CVE-2026-25496 — CVSS 4.8 (medium): Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored…
CVE-2018-20418 — CVSS 4.8 (medium): index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
CVE-2024-41800 — CVSS 4.8 (medium): Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker…
CVE-2026-25491 — CVSS 4.8 (medium): Craft is a platform for creating digital experiences. From 5.0.0-RC1 to 5.8.21, Craft has a stored XSS via Entry Type names. The name is…
CVE-2026-27128 — CVSS 4.8 (medium): Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use…
CVE-2026-33161 — CVSS 4.3 (medium): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before…
CVE-2026-29113 — CVSS 4.3 (medium): Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at…
CVE-2026-32262 — CVSS 4.3 (medium): Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before…
CVE-2026-28782 — CVSS 4.3 (medium): Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify…
CVE-2023-33194 — CVSS 3.7 (low): Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post…