CVSS: 6.9EPSS: 38%CPEs: 2EXPL: 0CVE-2025-35939 – Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
https://notcve.org/view.php?id=CVE-2025-35939
07 May 2025 — Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the cl... • https://github.com/craftcms/cms/pull/17220 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 7.8EPSS: 8%CPEs: 1EXPL: 1CVE-2023-36123
https://notcve.org/view.php?id=CVE-2023-36123
06 Oct 2023 — Directory Traversal vulnerability in Hex-Dragon Plain Craft Launcher 2 version Alpha 1.3.9, allows local attackers to execute arbitrary code and gain sensitive information. Vulnerabilidad de Directory Traversal en Hex-Dragon Plain Craft Launcher 2 versión Alpha 1.3.9, permite a atacantes locales ejecutar código arbitrario y obtener información confidencial. • https://github.com/9Bakabaka/CVE-2023-36123 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •