[MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files

PKSA-ht16-h36v-hxc7 CVE-2025-35939 GHSA-7vrx-9684-xrf2

Affected version: <4.15.3|>=5.0.0-alpha.1,<5.7.5

Reported by:
GitHub

[HIGH] Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

PKSA-8gxy-mg5h-z15w CVE-2025-46731 GHSA-7c58-g782-9j38

Affected version: >=5.0.0-RC1,<=5.6.14|>=4.0.0-RC1,<=4.14.12

Reported by:
GitHub

[CRITICAL] Craft CMS Allows Remote Code Execution

PKSA-5c44-5nbz-c7cq CVE-2025-32432 GHSA-f3gw-9ww9-jmc3

Affected version: >=5.0.0-RC1,<=5.6.16|>=4.0.0-RC1,<=4.14.14|>=3.0.0-RC1,<=3.9.14

Reported by:
GitHub

[HIGH] Craft CMS has a potential RCE with a compromised security key

PKSA-nfqr-ns8g-wkkx CVE-2025-23209 GHSA-x684-96hh-833x

Affected version: >=4.0.0-RC1,<4.13.8|>=5.0.0-RC1,<5.5.5

Reported by:
GitHub

[CRITICAL] Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

PKSA-xh7q-jwpn-v1cd CVE-2024-56145 GHSA-2p6p-9rc9-62j9

Affected version: >=3.0.0,<3.9.14|>=4.0.0-RC1,<4.13.2|>=5.0.0-RC1,<5.5.2

Reported by:
GitHub

[HIGH] Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI

PKSA-4wwj-2m42-9pp5 CVE-2024-52293 GHSA-f3cw-hg6r-chfv

Affected version: >=5.0.0-RC1,<=5.4.2|>=4.0.0-RC1,<=4.12.1

Reported by:
GitHub

[HIGH] Craft CMS Arbitrary System File Read

PKSA-jkbm-w624-yb7q CVE-2024-52292 GHSA-cw6g-qmjq-6w2w

Affected version: >=3.5.13,<=4.12.6.1|>=5.0.0-alpha.1,<=5.4.7.1

Reported by:
GitHub

[HIGH] Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution

PKSA-mtjx-x487-29s9 CVE-2024-52291 GHSA-jrh5-vhr9-qh7q

Affected version: >=4.0.0-RC1,<=4.12.4.1|>=5.0.0-RC1,<=5.4.5.1

Reported by:
GitHub

[MEDIUM] Craft CMS Allows TOTP Token To Stay Valid After Use

PKSA-56qm-r9zg-vprk CVE-2024-41800 GHSA-wmx7-pw49-88jx

Affected version: >=5.0.0-beta.1,<=5.2.2

Reported by:
GitHub