CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54417 – Craft contains a theoretical bypass for CVE-2025-23209
https://notcve.org/view.php?id=CVE-2025-54417
09 Aug 2025 — Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db en... • https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 38%CPEs: 2EXPL: 0CVE-2025-35939 – Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
https://notcve.org/view.php?id=CVE-2025-35939
07 May 2025 — Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the cl... • https://github.com/craftcms/cms/pull/17220 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2025-46731 – Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
https://notcve.org/view.php?id=CVE-2025-46731
05 May 2025 — Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue. • https://github.com/singetu0096/CVE-2025-46731 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 10.0EPSS: 74%CPEs: 3EXPL: 7CVE-2025-32432 – Craft CMS Allows Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-32432
25 Apr 2025 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892. • https://packetstorm.news/files/id/190687 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 1CVE-2025-3214 – JFinal CMS readTemplate engine.getTemplate path traversal
https://notcve.org/view.php?id=CVE-2025-3214
04 Apr 2025 — A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Q16G/cve_detail/blob/main/jfinal/jfinal_enjoy_file_read.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 3%CPEs: 2EXPL: 0CVE-2025-23209 – Craft CMS Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-23209
18 Jan 2025 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help m... • https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 94%CPEs: 3EXPL: 5CVE-2024-56145 – Craft CMS Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-56145
18 Dec 2024 — Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue. • https://packetstorm.news/files/id/188825 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52600 – Statamic CMS has Path Traversal in Asset Upload
https://notcve.org/view.php?id=CVE-2024-52600
19 Nov 2024 — Statmatic is a Laravel and Git powered content management system (CMS). Prior to version 5.17.0, assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. The issue affects front-end forms with `assets` fields and other places where assets can be uploaded, although users would need upload permissions anyway. Files can be uploaded so they would be located on the server in a different location, and potentially override existing files... • https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52291 – Craft has a Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution
https://notcve.org/view.php?id=CVE-2024-52291
13 Nov 2024 — Craft is a content management system (CMS). A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads. Note that this will only wor... • https://github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52292 – Craft Allows Attackers to Read Arbitrary System Files
https://notcve.org/view.php?id=CVE-2024-52292
13 Nov 2024 — Craft is a content management system (CMS). The dataUrl function can be exploited if an attacker has write permissions on system notification templates. This function accepts an absolute file path, reads the file's content, and converts it into a Base64-encoded string. By embedding this function within a system notification template, the attacker can exfiltrate the Base64-encoded file content through a triggered system email notification. Once the email is received, the Base64 payload can be decoded, allowi... • https://github.com/craftcms/cms/security/advisories/GHSA-cw6g-qmjq-6w2w • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •