Craftcms Craft_cms
97 CVEs affecting Craftcms Craft_cms. Latest disclosed: 2026-03-24. Critical: 11, High: 30.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-32432 | Critical | 10.0 | 2025-04-25 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-R… |
CVE-2023-41892 | Critical | 10.0 | 2023-09-13 | Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15… |
CVE-2026-32267 | Critical | 9.8 | 2026-03-16 | Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-priv… |
CVE-2024-56145 | Critical | 9.8 | 2024-12-18 | Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerabi… |
CVE-2024-37843 | Critical | 9.8 | 2024-06-25 | Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. |
CVE-2021-27903 | Critical | 9.8 | 2021-06-30 | An issue was discovered in Craft CMS before 3.6.7. In some circumstances, a potential Remote Code Execution vulnerability existed on sites that did not restric… |
CVE-2020-9757 | Critical | 9.8 | 2020-03-04 | The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller. |
CVE-2019-15929 | Critical | 9.8 | 2019-10-24 | In Craft CMS through 3.1.7, the elevated session password prompt was not being rate limited like normal login forms, leading to the possibility of a brute forc… |
CVE-2026-28783 | Critical | 9.1 | 2026-03-04 | Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP func… |
CVE-2026-28697 | Critical | 9.1 | 2026-03-04 | Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by… |
CVE-2025-68456 | Critical | 9.1 | 2026-01-05 | Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger databa… |
CVE-2026-31858 | High | 8.8 | 2026-03-11 | Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementInd… |
CVE-2026-31857 | High | 8.8 | 2026-03-11 | Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The B… |
CVE-2026-25497 | High | 8.8 | 2026-02-09 | Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalatio… |
CVE-2026-25495 | High | 8.8 | 2026-02-09 | Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-element… |
CVE-2025-68454 | High | 8.8 | 2026-01-05 | Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated… |
CVE-2025-54417 | High | 8.8 | 2025-08-09 | Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-2… |
CVE-2023-30130 | High | 8.8 | 2023-05-12 | An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. |
CVE-2022-29933 | High | 8.8 | 2022-05-09 | Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the account's password and take over the acc… |
CVE-2021-41824 | High | 8.8 | 2021-09-30 | Craft CMS before 3.7.14 allows CSV injection. |