Information disclosure in Craftcms Aws-s3

CVE-2026-32265

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()`…

Vulnerability class: Information Disclosure

EPSS: 0.000 (10.6th percentile) — read the EPSS interpretation.

Affected products

Craftcms Aws-s3 — versions >= 2.0.2, < 2.2.5

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9 (x_refsource_CONFIRM)
https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f (x_refsource_MISC)