Craftcms Cms
67 CVEs affecting Craftcms Cms. Latest disclosed: 2026-05-12. Critical: 2, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-32432 | Critical | 10.0 | 2025-04-25 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-R… |
CVE-2023-41892 | Critical | 10.0 | 2023-09-13 | Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15… |
CVE-2024-52291 | High | 8.5 | 2024-11-13 | Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file://… |
CVE-2025-23209 | High | 8.1 | 2025-01-18 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that… |
CVE-2024-52292 | High | 7.7 | 2024-11-13 | Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This f… |
CVE-2024-52293 | High | 7.2 | 2024-11-13 | Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Re… |
CVE-2023-40035 | High | 7.2 | 2023-08-23 | Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution… |
CVE-2023-32679 | High | 7.2 | 2023-05-19 | Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If t… |
CVE-2023-31144 | Medium | 6.1 | 2023-05-09 | Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a c… |
CVE-2023-23927 | Medium | 6.1 | 2023-03-03 | Craft is a platform for creating digital experiences. When you insert a payload inside a label name or instruction of an entry type, an cross-site scripting (X… |
CVE-2024-45406 | Medium | 5.5 | 2024-09-09 | Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. |
CVE-2023-33196 | Medium | 5.5 | 2023-05-26 | Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4… |
CVE-2023-33197 | Medium | 5.5 | 2023-05-26 | Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue h… |
CVE-2024-21622 | Medium | 5.4 | 2024-01-03 | Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to… |
CVE-2023-33195 | Medium | 5.0 | 2023-05-27 | Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. |
CVE-2024-41800 | Medium | 4.8 | 2024-07-25 | Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit… |
CVE-2023-33194 | Low | 3.7 | 2023-05-26 | Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message… |
CVE-2026-44012 | | 2026-05-12 | Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its… | |
CVE-2026-44011 | | 2026-05-12 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creati… | |
CVE-2026-44010 | | 2026-05-12 | Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Addre… |