Security Advisories - craftcms/cms

craftcms/cms Security Advisories for 4.16.18 (28)

[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint

PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh

Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14

Reported by:
GitHub
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx

Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14

Reported by:
GitHub
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c

Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7

Reported by:
GitHub
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf

Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5

Reported by:
GitHub
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController

PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2

Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4

Reported by:
GitHub
[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel

PKSA-w79g-q9vy-mw7b CVE-2026-31857 GHSA-fp5j-j7j4-mcxc

Affected version: >=4.0.0-beta.1,<=4.17.3|>=5.0.0-RC1,<=5.9.8

Reported by:
GitHub
[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

PKSA-t9v1-2frg-d2wy CVE-2026-31859 GHSA-fvwq-45qv-xvhv

Affected version: >=5.7.5,<=5.9.6|>=4.15.3,<=4.17.2

Reported by:
GitHub
[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens

PKSA-24yr-dkzm-n9v5 CVE-2026-29113 GHSA-vg3j-hpm9-8v5v

Affected version: >=5.0.0-RC1,<5.9.6|>=4.0.0-RC1,<4.17.3

Reported by:
GitHub
[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration

PKSA-s2xd-twzp-9yz7 CVE-2026-29069 GHSA-234q-vvw3-mrfq

Affected version: >=4.0.0-RC1,<4.17.0-beta.2|>=5.0.0-RC1,<5.9.0-beta.2

Reported by:
GitHub
[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action

PKSA-c1gj-84dj-vvh3 CVE-2026-28782 GHSA-jxm3-pmm2-9gf6

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[MEDIUM] Craft CMS has Twig Function Blocklist Bypass

PKSA-x1f7-3vrt-jvfj CVE-2026-28783 GHSA-5fvc-7894-ghp4

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment

PKSA-zp4z-c8gp-zpww CVE-2026-28781 GHSA-2xfc-g69j-x2mp

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates

PKSA-jqb9-4xf5-mdn1 CVE-2026-28697 GHSA-v47q-jxvr-p68x

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

PKSA-skz7-x8dk-h7t1 GHSA-4mgv-366x-qxvx

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub
[HIGH] Craft CMS has IDOR via GraphQL @parseRefs

PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj

Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1

Reported by:
GitHub
[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

PKSA-n7dz-mnbq-y23y CVE-2026-28695 GHSA-94rc-cqvm-m4pw

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.8.7,<5.9.0-beta.1

Reported by:
GitHub
[LOW] Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type

PKSA-cf9h-wtzj-5nwd GHSA-6j87-m5qx-9fqp

Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-beta.1,<=4.16.18

Reported by:
GitHub
[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

PKSA-qgft-95tr-t5vt CVE-2026-27129 GHSA-v2gc-rm6g-wrw9

Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22

Reported by:
GitHub
[MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit

PKSA-k33k-b5qw-yqgp CVE-2026-27128 GHSA-6fx5-5cw5-4897

Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18

Reported by:
GitHub
[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

PKSA-ycmx-j7s8-wyxz CVE-2026-27127 GHSA-gp2f-7wcm-5fhx

Affected version: >=3.5.0,<=4.16.18|>=5.0.0-RC1,<=5.8.22

Reported by:
GitHub
[MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type

PKSA-knkq-h2rk-yc48 CVE-2026-27126 GHSA-3jh3-prx3-w6wc

Affected version: >=5.0.0-RC1,<=5.8.22|>=4.5.0-RC1,<=4.16.18

Reported by:
GitHub
[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation

PKSA-zjy6-pdtw-mck8 CVE-2026-25497 GHSA-fxp3-g6gw-4r4v

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub

craftcms/cms Security Advisories for 4.16.18 (28)

[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint

[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations

[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController

[HIGH] CraftCMS has an RCE vulnerability via relational conditionals in the control panel

[MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization

[LOW] Craft CMS has a potential information disclosure vulnerability in preview tokens

[HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration

[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

[MEDIUM] Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action

[MEDIUM] Craft CMS has Twig Function Blocklist Bypass

[MEDIUM] Craft CMS: Entries Authorship Spoofing via Mass Assignment

[CRITICAL] Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates

[LOW] Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

[HIGH] Craft CMS has IDOR via GraphQL @parseRefs

[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

[LOW] Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type

[MEDIUM] Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

[MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit

[HIGH] Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

[MEDIUM] Craft CMS has Stored XSS in Table Field via "HTML" Column Type

[HIGH] Craft CMS: GraphQL Asset Mutation Privilege Escalation