Craftcms Craft_cms

97 CVEs affecting Craftcms Craft_cms. Latest disclosed: 2026-03-24. Critical: 11, High: 30.

Top CVEs affecting Craftcms Craft_cms
CVESeverityScorePublishedSummary
CVE-2025-32432Critical10.02025-04-25Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-R…
CVE-2023-41892Critical10.02023-09-13Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15…
CVE-2026-32267Critical9.82026-03-16Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-priv…
CVE-2024-56145Critical9.82024-12-18Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerabi…
CVE-2024-37843Critical9.82024-06-25Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint.
CVE-2021-27903Critical9.82021-06-30An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restric…
CVE-2020-9757Critical9.82020-03-04The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
CVE-2019-15929Critical9.82019-10-24In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute forc…
CVE-2026-28783Critical9.12026-03-04Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP func…
CVE-2026-28697Critical9.12026-03-04Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by…
CVE-2025-68456Critical9.12026-01-05Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger databa…
CVE-2026-31858High8.82026-03-11Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementInd…
CVE-2026-31857High8.82026-03-11Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The B…
CVE-2026-25497High8.82026-02-09Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalatio…
CVE-2026-25495High8.82026-02-09Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-element…
CVE-2025-68454High8.82026-01-05Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated…
CVE-2025-54417High8.82025-08-09Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-2…
CVE-2023-30130High8.82023-05-12An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter.
CVE-2022-29933High8.82022-05-09Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the acc…
CVE-2021-41824High8.82021-09-30Craft CMS before 3.7.14 allows CSV injection.