CSRF in Craftcms Cms
CVE-2026-29113
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action do…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.000 (0.7th percentile) — read the EPSS interpretation.
Affected products
- Craftcms Cms — versions >= 4.0.0-RC1, < 4.17.3, >= 5.0.0-RC1, < 5.9.6
Weakness classification (CWE)
References
- https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v (x_refsource_CONFIRM)
- https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc (x_refsource_MISC)