craftcms/cms Security Advisories for 4.16.17 (33)
-
[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint
PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c
Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel
PKSA-w79g-q9vy-mw7b CVE-2026-31857 GHSA-fp5j-j7j4-mcxc
Affected version: >=4.0.0-beta.1,<=4.17.3|>=5.0.0-RC1,<=5.9.8
Reported by:
GitHub -
[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
PKSA-t9v1-2frg-d2wy CVE-2026-31859 GHSA-fvwq-45qv-xvhv
Affected version: >=5.7.5,<=5.9.6|>=4.15.3,<=4.17.2
Reported by:
GitHub -
[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens
PKSA-24yr-dkzm-n9v5 CVE-2026-29113 GHSA-vg3j-hpm9-8v5v
Affected version: >=5.0.0-RC1,<5.9.6|>=4.0.0-RC1,<4.17.3
Reported by:
GitHub -
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration
PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq
Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2
Reported by:
GitHub -
[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
PKSA-c1gj-84dj-vvh3 CVE-2026-28782 GHSA-jxm3-pmm2-9gf6
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS has Twig Function Blocklist Bypass
PKSA-x1f7-3vrt-jvfj CVE-2026-28783 GHSA-5fvc-7894-ghp4
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment
PKSA-zp4z-c8gp-zpww CVE-2026-28781 GHSA-2xfc-g69j-x2mp
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
PKSA-jqb9-4xf5-mdn1 CVE-2026-28697 GHSA-v47q-jxvr-p68x
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
PKSA-skz7-x8dk-h7t1 GHSA-4mgv-366x-qxvx
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[HIGH] Craft CMS has IDOR via GraphQL @parseRefs
PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj
Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
PKSA-n7dz-mnbq-y23y CVE-2026-28695 GHSA-94rc-cqvm-m4pw
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.8.7,<5.9.0-beta.1
Reported by:
GitHub -
[LOW] Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
PKSA-cf9h-wtzj-5nwd GHSA-6j87-m5qx-9fqp
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-beta.1,<=4.16.18
Reported by:
GitHub -
[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
PKSA-qgft-95tr-t5vt CVE-2026-27129 GHSA-v2gc-rm6g-wrw9
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
PKSA-k33k-b5qw-yqgp CVE-2026-27128 GHSA-6fx5-5cw5-4897
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
PKSA-ycmx-j7s8-wyxz CVE-2026-27127 GHSA-gp2f-7wcm-5fhx
Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22
Reported by:
GitHub -
[MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type
PKSA-knkq-h2rk-yc48 CVE-2026-27126 GHSA-3jh3-prx3-w6wc
Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
PKSA-g2n6-j3mn-x8xf CVE-2026-25498 GHSA-7jx7-3846-m7w7
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation
PKSA-zjy6-pdtw-mck8 CVE-2026-25497 GHSA-fxp3-g6gw-4r4v
Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to Stored XSS in Number Prefix & Suffix Fields
PKSA-5pj5-nxp6-547h CVE-2026-25496 GHSA-9f5h-mmq6-2x78
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to SQL Injection in Element Indexes via `criteria[orderBy]`
PKSA-9dtd-sv51-7pmx CVE-2026-25495 GHSA-2453-mppf-46cj
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
PKSA-jsy4-k6z3-fcjb CVE-2026-25494 GHSA-m5r2-8p9x-hp5m
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub -
[MEDIUM] Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
PKSA-1dbt-xzgs-7gw8 CVE-2026-25493 GHSA-8jr8-7hr4-vhfx
Affected version: >=4.0.0-RC1,<=4.16.17|>=5.0.0-RC1,<=5.8.21
Reported by:
GitHub