Vulnerabilities in craftcms
99 resultsCVE-2026-41130MEDIUMCraft CMS has a host header injection leading to SSRF via resource-js endpointEPSS 0.3%CVE-2026-25486MEDIUMCraft Commerce has Stored XSS in Shipping Methods Name Field Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-41128MEDIUMCraft CMS has a Missing Authorization Check on User Group Removal via save-permissions ActionEPSS 0.2%CVE-2026-33051MEDIUMCraft CMS Vulnerable to Stored XSS in Revision Context MenuEPSS 0.2%CVE-2026-28782MEDIUMCraft has a Permission Bypass and IDOR in Duplicate Entry ActionEPSS 0.2%CVE-2026-29176MEDIUMCraft Commerce has Stored XSS in Inventory Location NameEPSS 0.2%CVE-2025-68436MEDIUMCraft CMS vulnerable to potential information disclosure via unchecked asset relocationEPSS 0.2%CVE-2026-56385MEDIUMCraft CMS - Authorization Bypass in assets/preview-file EndpointEPSS 0.2%CVE-2026-27126MEDIUMCraft CMS has Stored XSS in Table Field via "HTML" Column TypeEPSS 0.2%CVE-2026-33161LOWCraft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized usersEPSS 0.2%CVE-2026-29177LOWCraft Commerce has Stored XSS in Craft Commerce Order Details SlideoutEPSS 0.2%CVE-2026-29175HIGHMultiple Stored XSS in Commerce Inventory Page Leading to Session HijackingEPSS 0.2%CVE-2026-56384MEDIUMCraft CMS - Missing Authorization in assets/preview-thumb EndpointEPSS 0.2%CVE-2026-31859MEDIUMCraft has Reflective XSS via incomplete return URL sanitizationEPSS 0.2%CVE-2026-56393MEDIUMCraft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field OptionsEPSS 0.2%CVE-2026-56383MEDIUMCraft CMS - Stored XSS in Table Field via Row Heading Column TypeEPSS 0.2%CVE-2026-27128MEDIUMCraft CMS's race condition in Token Service potentially allows for token usage greater than the token limitEPSS 0.2%CVE-2026-29113LOWCraft has a potential information disclosure vulnerability in preview tokensEPSS 0.2%CVE-2026-56381MEDIUMCraft CMS - Stored XSS via User Group Name in User Permissions PageEPSS 0.1%