Security: craftcms/cms
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
ElementSearchController Blind SQL Injection (Bypass of GHSA-2453-mppf-46cj)GHSA-g7j6-fmwx-7vp8 published
Mar 9, 2026 by angrybradHigh -
RCE vulnerability via relational conditionals in the control panelGHSA-fp5j-j7j4-mcxc published
Mar 9, 2026 by angrybradHigh -
Potential information disclosure vulnerability in preview tokensGHSA-vg3j-hpm9-8v5v published
Mar 9, 2026 by angrybradLow -
Reflective XSS via incomplete return URL sanitizationGHSA-fvwq-45qv-xvhv published
Mar 9, 2026 by angrybradLow -
Unauthenticated activation email trigger with potential user enumerationGHSA-234q-vvw3-mrfq published
Mar 3, 2026 by angrybradModerate -
Race condition in Token Service potentially allows for token usage greater than the token limitGHSA-6fx5-5cw5-4897 published
Feb 23, 2026 by angrybradModerate -
Stored XSS in Table Field via "HTML" Column TypeGHSA-3jh3-prx3-w6wc published
Feb 23, 2026 by angrybradLow -
Stored XSS in Table Field via "Row Heading" Column TypeGHSA-6j87-m5qx-9fqp published
Feb 23, 2026 by angrybradLow -
Cloud Metadata SSRF Protection Bypass via IPv6 ResolutionGHSA-v2gc-rm6g-wrw9 published
Feb 23, 2026 by angrybradModerate -
Cloud Metadata SSRF Protection Bypass via DNS RebindingGHSA-gp2f-7wcm-5fhx published
Feb 23, 2026 by angrybradModerate