CVSS: 8.1EPSS: 4%CPEs: 2EXPL: 0CVE-2025-23209 – Craft CMS Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-23209
18 Jan 2025 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help m... • https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 92%CPEs: 3EXPL: 4CVE-2024-56145 – RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms
https://notcve.org/view.php?id=CVE-2024-56145
18 Dec 2024 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. • https://packetstorm.news/files/id/188825 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52291 – Craft has a Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
https://notcve.org/view.php?id=CVE-2024-52291
13 Nov 2024 — Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Note that this will only wor... • https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52292 – Craft Allows Attackers to Read Arbitrary System Files
https://notcve.org/view.php?id=CVE-2024-52292
13 Nov 2024 — Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowi... • https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.3EPSS: 1%CPEs: 2EXPL: 0CVE-2024-52293 – Craft has a Potential Remote Code Execution via missing path normalization & Twig SSTI
https://notcve.org/view.php?id=CVE-2024-52293
13 Nov 2024 — Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3. • https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45406 – Craft CMS stored XSS in breadcrumb list and title fields
https://notcve.org/view.php?id=CVE-2024-45406
09 Sep 2024 — Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input. • https://github.com/craftcms/cms/commit/b7348942f8131b3868ec6f46d615baae50151bb8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41800 – Craft CMS Allows TOTP Token To Stay Valid After Use
https://notcve.org/view.php?id=CVE-2024-41800
25 Jul 2024 — Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3. • https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 71%CPEs: 1EXPL: 1CVE-2024-37843
https://notcve.org/view.php?id=CVE-2024-37843
25 Jun 2024 — Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. Se descubrió que Craft CMS hasta v3.7.31 contenía una vulnerabilidad de inyección SQL a través del endpoint de la API GraphQL. • https://github.com/gsmith257-cyber/CVE-2024-37843-POC • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36259
https://notcve.org/view.php?id=CVE-2023-36259
30 Jan 2024 — Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation. Una vulnerabilidad de Cross Site Scripting (XSS) en Craft CMS Audit Plugin anterior a la versión 3.0.2 permite a los atacantes ejecutar código arbitrario durante la creación de usuarios. • https://github.com/sjelfull/craft-audit/pull/73 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36260
https://notcve.org/view.php?id=CVE-2023-36260
30 Jan 2024 — An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security." Un probl... • https://github.com/craftcms/feed-me/commit/b5d6ede51848349bd91bc95fec288b6793f15e28 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •